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DEPARTMENT  OF  DEFENSE 
400  ARMY  NAVY  DRIVE 
ARLINGTON,  VIRGINIA  22202-2884 


June  29,  1995 

MEMORANDUM  FOR  DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING 

SERVICE 

COMMANDER,  DEFENSE  LOGISTICS  AGENCY 
INSPECTOR  GENERAL,  DEFENSE  INFORMATION 
SYSTEMS  AGENCY 

SUBJECT:  Report  on  the  Followup  Audit  of  Controls  Over  Operating  System  and 
Security  Software  and  Other  General  Controls  for  Computer  Systems 
Supporting  the  Defense  Finance  and  Accounting  Service 
(Report  No.  95-263) 

We  are  providing  this  report  for  management's  review  and  comments.  We 
performed  the  audit  in  response  to  a  request  from  the  Under  Secretary  of  Defense 
(Comptroller)  and  Ae  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications  and  Intelligence).  We  considered  management  comments  on  a  draft 
of  this  report  in  preparing  the  final  report. 

DoD  Directive  7650.3  requires  that  all  recommendations  be  promptly  resolved. 
The  Defense  Logistics  Agency  did  not  comment  on  a  draft  of  this  report  in  time  for  the 
comments  to  be  included  in  this  final  report.  Comments  from  the  Defense  Information 
Systems  Agency  were  not  fully  responsive.  Therefore,  additional  comments  are 
requested  by  July  31,  1995,  from  Aese  two  organizations,  as  indicated  at  the  end  of 
each  finding  in  Part  I  of  the  report.  Comments  from  the  Defense  Finance  ^d 
Accounting  Service,  Denver  Center,  and  the  Defense  Finance  and  Accounting  Service, 
Financial  Systems  Activity  Denver,  conformed  to  the  requirements  of  DoD  Directive 
7650.3  and  left  no  unresolved  issues.  Therefore,  no  additional  comments  are  requested 
from  these  two  organizations. 

We  appreciate  the  courtesies  extended  to  our  audit  staff.  Questions  about  the 
audit  should  be  directed  to  Mr.  David  C.  Funk,  Audit  Program  Director,  at 
(303)  676-7445  (DSN  926-7445),  or  Mr.  W.  Andy  Cooley,  Audit  Project  Manager,  at 
(303)  676-7393  (DSN  926-7393).  See  Appendix  G  for  the  report  distribution.  The 
audit  team  members  are  listed  inside  the  back  cover. 


Robert  J.  Lieberman 
Assistant  Inspector  General 
for  Auditing 
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(Project  No.  4FD-5068) 

Controls  Over  Operating  System  and  Security  Software  and 
Other  Genera]  Controls  for  Computer  Systems  Supporting  the 
Defense  Finance  and  Accounting  Service 

Executive  Summary 


Litroduction.  This  audit  was  made  to  evaluate  the  corrective  actions  taken  by  the  Defense 
Infonnation  Systems  Agency  Western  Hemisphere  and  Ae  Defense  Logistics  Agency,  Systems 
Design  Center,  in  response  to  prior  audits  of  computer  security  and  ofter  general  controls.  A 
separate  audit  was  made  on  the  corrective  actions  taken  in  response  to  these  prior  audits  of  the 
Defense  Finance  and  Accounting  Service,  Financial  Systems  Activity,  Denver,  Colorado;  and 
the  Defense  Information  Systems  Agency  Western  Hemisphere's  Defense  Information 
Processing  Center,  Pensacola,  Florida.  The  audits  were  requested  by  the  Under  Secretary  of 
Defense  (Comptroller)  and  the  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications  and  Intelligence). 

Objectives.  Our  objective  was  to  determine  whether  corrective  actions  taken  or  planned  by 
the  Defense  Information  Systems  Agency,  Western  Hemisphere,  and  the  Defense  Logistics 
Agency,  Systems  Design  Center  to  improve  computer  security  j^equately  responded  to  die 
recommendations  made  in  prior  audit  reports.  The  audit  also  e\^uated  the  effectiveness  of 
applicable  internal  controls  and  each  organization's  implementation  of  the  DoD  management 
control  program  as  it  pertained  to  our  audit  objectives. 

Audit  Results.  De^ite  other  demands  on  their  resources,  the  Defense  Finance  and 
Accounting  Service,  the  Defense  Information  Systems  Agency,  and  the  Defense  Logistics 
Agency  made  commendable  efforts  to  implement  prior  audit  recommendations.  However, 
additional  corrective  actions  were  required  in  some  areas.  Including  the  results  of  the  separate 
audit,  we  followed  up  on  87  of  the  112  recommendations  made  in  prior  audit  reports.  Audit 
followup  on  25  recommendations  was  deferred  because  the  organizations  to  which  the 
recommendations  were  made  were  being  consolidated  into  various  Defense  Information 
Systems  Agency  megacenters.  Of  the  87  recommendations,  the  Defense  Finance  and 
Accounting  Service,  the  Defense  Information  Systems  Agency,  and  the  Defense  Logistics 
Agency  had  taken  adequate  corrective  actions  on  67  recommoidations  (77  percent),  and 
additional  corrective  actions  were  required  on  20  (23  percent).  Moreover,  although 
incomplete,  planned  actions  on  5  of  the  26  recommendations  requiring  additional  corrective 
action  were  considered  adequate.  One  recommendation  previously  made  to  the  Defense 
Information  Systems  Agency  was  partially  redirected  to  the  Defense  Finance  and  Accounting 
Service. 

Because  of  their  sensitive  nature,  the  deficiencies  discussed  in  this  report  are  presented  in 
general  terms  only;  specific  details  of  the  findings  were  separately  provided  to  management. 
Although  no  quantifiable  monetary  benefits  were  disclosed,  Ae  audit  showed  that  opportunities 
existed  for  improving  computer  security  at  the  Defense  Finance  and  Accounting  Service,  the 
Defense  Information  Systems  Agency,  and  the  Defense  Logistics  Agency.  Excluding  the 
separate  audit,  the  results  of  our  audit  of  actions  taken  on  the  recommen^tions  made  to  the 
Defense  Information  Systems  Agency  and  the  Defense  Logistics  Agency  are  summarized 
below  and  in  more  detail  in  Part  I  of  the  report. 


o  Controls  over  sensitive  features  of  the  operating  systems  needed  improvement  at  the 
Defense  Information  Processing  Center-Cleveland;  the  Defense  Logistics  Agency,  Systems 
Design  Center;  the  Defense  Megacenter-Columbus;  and  the  Defense  Megacenter-Denver.  As 
a  result,  application  programs  and  data  such  as  pay  records  could  be  added,  modified,  or 
deleted  without  detection  (Finding  A). 

o  Although  significant  improvements  had  been  made,  some  additional  improvements 
were  required  in  security  software  and  environmental  controls  at  the  Defense  Finance  and 
Accountog  Service  Denver  Center;  the  Defense  Finance  and  Accounting  Service,  Financial 
Systems  Activity  Denver;  tiie  Defense  Information  Processing  Center-Cleveland;  the  Defense 
Megacenter-Columbus;  and  the  Defense  Megacenter-Denver.  Because  of  the»  weaknesses, 
knowledgeable  users  could  gain  unauthorized  system  access  or  perform  unauthorized  tasks,  md 
computer  assets  valued  at  over  $40  million  were  vulnerable  to  damage  or  destruction 
(Finding  B). 

o  Required  system  reviews,  change  controls,  and  other  procedures  had  not  been 
performed  or  developed  by  die  Defense  Finance  and  Accounting  Service;  Ae  Defense 
Information  Systems  Agency,  Western  Hemisphere;  and  the  Defense  Logistics  Agency, 
Systems  Design  Cwiter.  As  a  result,  operational  efficiency  could  be  reduced,  and  application 
and  operating  system  integrity  could  be  compromised  (Finding  C). 

Summary  of  Recommendations,  Management  Comments,  and  Audit  Response. 
Improvements  were  recommended  in  operating  system  and  security  software,  environment 
controls,  and  management  controls,  "nie  Defense  Finance  and  Accounting  Service  and  its 
Financial  Systems  Activity  Denver  concurred  with  the  recommendations  to  improve  physical 
security  at  one  Defense  megacenter  and  to  eliminate  a  security  exposure  on  one  application. 
The  Defense  Information  Systems  Agency  concurred  with  all  recommendations,  except  for 
three  with  which  they  partially  concurred  and  proposed  alternatives.  Based  on  the  comments 
received,  we  revised  one  recommendation  to  reflect  an  alternative  proposed  by  the  Defense 
Information  Systems  Agency.  Altiiough  the  Defense  Information  Systems  Agency  generatiy 
concurred  wi&  the  recommendations,  its  comments  did  not  adequately  respond  to  ipe 
recommendations.  The  Defense  Logistics  Agency  did  not  respond  to  our  draft  report  in  time 
for  comments  to  be  included  in  this  final  report.  We  request  tiiat  the  Defense  Information 
Systems  Agency  and  toe  Defense  Logistics  Agoicy  provide  comments  on  this  report  by 
July  31,  1995.  See  Part  I  for  our  response  to  management's  comments  and  Part  HI  for  the 
complete  text  of  toe  comments. 

Audit  Followup.  Implementing  toe  recommendations  made  in  this  report  to  toe  Defense 
Finance  and  Accounting  Service,  toe  Defense  Information  Systems  Agency,  and  the  Defense 
Logistics  Agency  will  complete  toe  corrective  actions  required  in  re^nse  to  toe  prior 
recommendations  we  evaluate.  Recommendations  made  in  tois  rq>ort  will  be  followed  up  as 
required  by  DoD  Directive  7650.3.  Therefore,  toe  Office  of  toe  Assistant  Inspector  General 
for  Analysis  and  Followup  plans  no  further  separate  followup  actions  on  toe  prior 
recommendations  to  toe  Defense  Information  Systems  Agracy  and  toe  Defense  Logistics 
Agency. 
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Part  I  -  Audit  Results 


Background 


Computer  Security.  During  FYs  1990  through  1994,  the  Inspector 
General  (IG),  DoD,  and  the  Air  Force  Audit  Agency  (AFAA)  performed  a 
series  of  five  audits  to  evaluate  controls  over  operatmg  system  and  security 
so^are  and  other  general  controls  for  computer  systems  supporting  the 
Defense  Finance  and  Accounting  Service  (DFAS).  The  audits  determined  that 
financial  computer  systems  critical  to  DoD  were  exposed  to  fraud  and  other 
risks.  Knowledgeable  users  could  exploit  weaknesses  in  the  operating  system 
controls  to  improperly  access,  add,  modify,  or  destroy  saisitive  computer  data, 
programs,  and  other  resources  (accidentally  or  intentionally)  without  risk  of 
detection.  These  computer  systems  were  operated  and  managed  by: 

0  the  DFAS  Financial  Systems  Activity  in  Denver,  Colorado  (DFAS 
FSA  Denver); 

o  seven  organizations  that  report  to  the  Defense  Information  Systems 
Agency,  Western  Hentisphere  Q3ISA  WESTHEM)  (formerly  the  Defense 
Information  Services  Organization),  as  follows: 

-  the  Defense  Megacenters  (DMCs)  in  Columbus,  Ohio 
(DMC-Columbus),  and  Denver,  Colorado  (DMC-Denver);  and 

-  the  Defense  Information  Processing  Centers  (DIPCs)  in 
Cleveland,  Ohio  (DIPC-Cleveland);  Dayton,  Ohio  (DIPC-Dayton);  Indian¬ 
apolis,  Indiana  (DlPC-Indianapolis);  Kansas  City,  Missouri  (DIPC- 
Kansas  City);  and  Pensacola,  Florida  (DIPC-Pensacola); 

o  the  Defense  Logistics  Agency,  Systems  Design  Center  (DLA-DSDC), 
in  Columbus,  Ohio;  and 

o  the  Marine  Corps  Computer  and  Telecommunications  Activity 
(MCCTA)  in  Quantico,  Virginia.^ 

Many  of  the  above  organizations  were  reorganized  after  the  original  audits;  in 
some  cases,  they  no  longer  ewst.  For  example,  the  DIPC-Dayton  no  longer 
exists  because  its  worldoad  migrated  to  DMC-Columbus  during  FY  1994.  For 
details  of  these  reorganizations,  see  Appendix  F. 

Congressional  and  DoD  Oversight.  Heightened  concern  over  DoD  computer 
security  surfaced  during  FY  1994.  As  a  result,  the  Inspector  Graeral,  DoD, 
was  asked  to  follow  up  on  prior  computer  security  audits. 


lln  September  1994,  the  production  and  test  systems  at  the  Marine  Corps  Computer 
and  Telecommuitications  Activity,  discussed  in  IG,  DoD,  Report  No.  94-065,  migrated 
to  the  Defense  Megacenter-St.  Louis. 
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Audit  Results 


o  In  April  1994,  the  Deputy  Inspector  General  (IG),  DoD,  testified  on 
Defense  financial  management  issues  before  the  Senate  Governmental  Affairs 
Committee.  The  D^utylG  advised  the  Committee  that  inadequate  controls 
over  computer  security  were  among  several  high-risk  problems  requiring  the 
immediate  attention  of  DoD.  In  May  1994,  the  Committee  Chairman  request^ 
that  the  IG,  DoD,  closely  monitor  DoD  efforts  to  correct  weaknesses  in 
computer  security  and  other  financial  management  problems. 

o  Also  in  April  1994,  the  Assistant  Secretary  of  Defense  (Command, 
Control,  Communications  and  Intelligence)  requested  a  briefing  on  computer 
security  from  the  IG,  DoD.  As  a  result  of  that  briefing  and  directions  from  the 
Assistant  Secretary,  DISA  created  an  Information  Security  Task  Force  (the 
DISA  Task  Force)  to  improve  information  systems  security  at  all  Defense 
megacenters  and  legacy  sites.  One  of  the  DISA  Task  Force's  objectives  was 
reviewing  and  implementing  prior  audit  recommendations  related  to  computer 
security  at  those  sites. 

o  In  June  1994,  the  Senior  Financial  Management  Oversight  Council, 
chaired  by  tiie  Deputy  Secretary  of  Defense,  was  briefed  on  the  wmputer 
security  of  DoD  ^ancial  management  systems.  Among  other  actions,  the 
Deputy  Secretary  of  Defense  directed  DISA  and  DFAS  to  ensure  that  problems 
in  computer  security  were  corrected  by  October  1,  1994.  The  Dq)uty  Secretary 
of  Defense  also  stated  that  the  IG,  DoD,  needed  to  provide  oversight  to  ensure 
that  compliance  was  improved. 

Audit  Request.  On  July  12,  1994,  in  response  to  directions  from  the  Deputy 
Secretary  of  Defense,  die  Under  Secretary  of  Defense  (Comptroller)  and  the 
Assistant  Secretary  of  Defense  (Command,  Control,  Communications  and 
Intelligence)  requested  that  the  IG,  DoD,  confirm  that  DFAS  and  DISA  had 
corrected  the  previously  reported  problems  with  computer  security.  The  IG, 
DoD,  expanded  the  audit's  scope  to  include  evaluating  corrective  actions  taken 
by  DLA-DSDC  in  response  to  the  prior  IG,  DoD,  report,  and  by  DMC-Denver 
in  response  to  a  prior  Air  Force  Audit  Agency  r^wrt.  The  prior  reports  are 
list^  in  Appendix  C. 

This  report  summarizes  the  audit  of  corrective  actions  performed  by  DISA 
WESTHEM  and  DLA-DSDC  in  reroonse  to  recommendations  made  to  them  in 
prior  IG,  DoD,  and  AFAA  reports.^ 

Technical  Terms.  See  Appendix  B,  "Glossary,"  for  definitions  of  the  technical 
terms  used  in  this  x&port. 


^Corrective  actions  taken  in  response  to  recommendations  made  in  IG,  DoD,  R^rts 
No.  94-060  and  No.  94-065  to  DFAS  FSA  Denver  and  DIPC-Pensacola  (formerly 
DFAS  FSA  Pensacola)  were  sq)arately  evaluated  in  IG,  DoD,  Projwt  No.  4FG-5060, 
"Corrective  Action  on  System  and  Software  Security  Deficiencies."  Our  report 
incorporates  the  results  of  the  other  audit. 
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Audit  Results 


Objectives 


Specific  Objectives.  The  objective  of  our  audit  was  to  determine  whether 
corrective  actions  taken  or  planned  by  DISA  WESTHEM  and  DLA-DSDC  to 
improve  computer  security  adequately  responded  to  prior  audit 
recommendations.  Specifically,  we  evaluated  the  corrective  actions  taken  by 
DISA  WESTHEM,  Fort  Ritchie,  Maryland;  DIPC-Cleveland;  DMC-Columbus; 
DMC-Denver;  and  DLA-DSDC.  These  organizations  needed  to  take  corrective 
action  in  response  to  recommendations  made  in  the  four  rqjorts  listed  in 
Appendix  C,  "Prior  Audit  Reports  Subject  to  Audit  Followup." 

In  addition,  we  evaluated  the  effectiveness  of  appli^le  management  controls 
and  each  organization's  implementation  of  DoD  Directive  5010.38,  "Intern^ 
Management  Control  Program,"  April  14,  1987,  as  it  related  to  our  audit 
objectives. 

Revision  of  Audit  Objectives.  Audit  followup  was  deferred  on 
25  recommendations  made  in  IG,  DoD,  Reports  No.  93-002  to 
DIPC-Indianapolis  and  No.  94-065  to  DIPC-Kansas  City  and  MCCTA.  The 
operations  of  those  three  organizations  were  schedule  to  migrate  to  two 
Defense  megacenters  during  the  audit.  For  details,  see  the  discussion  of  scope 
limitations  in  Appendix  A. 
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Finding  A.  Operating  Systems 

DIPC-Cleveland,  DLA-DSDC,  DMC-Columbus,  and  DMC-Denver  had 
significantiy  improved  their  operating  system  controls.  However, 
additional  corrective  actions  were  needed  on  6  of  27  prior  audit 
recommendations.  Specifically,  at  DIPC-Cleveland,  authorize  program 
facility  (APF)  libraries  and  programs  had  not  been  adequately 
monitored,  and  access  to  the  APF  libraries  was  not  adequately 
controlled.  DLA-DSDC  and  DMC-Denver  programmers  had  not 
eliminated  all  supervisor  calls  (SVCs)  that  compromised  system  integrity 
at  their  locations  and  at  DIPC-Cleveland  and  DMC-Columbus.  The 
APF  control  weaknesses  resulted  from  shortages  of  system  programmers 
and  ovarly  lenient  rules  for  security  access.  Supervisor  ^s  with 
integrity  exposures  had  not  been  eliminated;  this  occurred  because 
system  programmers  had  underestimated  the  complexity  of  securing  the 
supervisor  calls.  Also,  DMC-Denver  did  not  act  on  revised 
recommendations  made  by  the  auditors  when  the  auditors  determined 
that  a  previously  recommended  control  technique  for  supervisor  calls 
was  flawed.  The  auditors  provided  alternative  solutions  for  controlling 
Ae  supervisor  calls.  As  a  result  of  all  these  weaknesses,  application 
programs  and  data  such  as  pay  records  could  be  added,  modified,  or 
deleted  without  detection,  and  me  integrity  of  systems  was  not  ensure^. 
The  control  weaknesses  over  supervisor  calls  constitute  a  material 
management  control  weakness. 


Operating  System  Function  and  Summary  of  Results 


Function  of  Operating  System.  The  operating  system  is  a  major  component  of 
any  computer  system.  It  is  an  integrated  collection  of  computer  programs, 
service  routines,  and  supervisory  procedures  that  directs  the  sequence  and 
processing  of  computer  applications  (scheduling  jobs,  loading  programs, 
allocating  computer  memory,  managing  files,  and  controlling  input  and  output 
operations).  The  Multiple  Virtual  Storage  (MVS)  operating  systems  also  isolate 
and  protect  individual  user  programs.  When  the  operating  system  features  are 
properly  administered  and  controlled,  only  authorize  programs  can  modify  the 
processwg  of  other  programs.  However,  operating  systems  are  not  intended  to 
guarantee  diat  only  authorized  users  can  execute  authorized  programs.  As 
discussed  in  Finding  B,  commercial  security  software  packages  control 
authorized  users. 

Summary  of  Audit  Results.  Prior  audits  at  DLA-DSDC  and 
DISA-W^THEM  organizations  had  identified  computer  security  problems 
because  of  inadequate  controls  over  the  APF,  SVCs,  and  other  operating  system 
features  (Appendix  D).  Some  of  those  management  control  weaknesses  were 
material  in  nature.  This  followup  audit  determined  that  DIPC-Cleveland, 
DLA-DSDC,  DMC-Columbus,  and  DMC-Denver  had  adequately  implemented 
21  of  the  27  prior  audit  recommendations  made  to  improve  tiie  operating  system 
controls.  However,  additional  corrective  actions  were  required  in  order  to 
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adequately  implement  six  recommendations  related  to  controlling 
APF-authoriz^  libraries  and  programs  and  SVCs.  Though  still  in  process,  the 
corrective  actions  planned  on  one  of  those  six  recommendations  were  adequate. 
Details  of  our  findings  are  presented  below  and  in  Appendix  D. 


Authorized  Program  Facility 


The  DMC-Columbus,  DMC-Denver,  and  DLA-DSDC  had  adequately 
monitored  and  limited  access  to  APF  libraries.  However,  at  DIPC-Cleveland, 
APF  libraries  and  programs  were  not  adequately  monitored,  and  update  access 
to  the  APF  libraries  was  not  properly  controlled.  APF  maintenance  was  not 
performed  due  to  personnel  shortages  caused  by  the  upcoming  migration  of 
DIPC-Cleveland 's  work  load  to  DMC-Chamber^urg  (Pennsylvania)  in 
addition,  security  personnel  had  applied  lenient  security  rules  to  APF  libraries, 
and  had  not  limited  the  APF  access  of  operating  system  personnel  as  they 
moved  to  other  jobs.  Without  implementing  adequate  control  procedures,  users 
could  create  unauthorized  programs  in  APF  libraries^  bypass  access  security) 
and  add,  modify,  or  delete  sensitive  pay  and  financial  data  files  without 
detection. 

APF  Librair  Controls.  Five  nonexistent  libraries  and  116  different¬ 
sized,  duplicate  programs  in  45  libraries  were  installed  on  the  DIPC-Cleveland 
system.  A  nonexistent  APF  library  may  aUow  users  to  assign  that  APF  library 
name  to  their  libraries,  making  the  libraries  APF-authorized.  Management 
(»ntrol  procedures  normally  require  that  only  system  programmers  assign 
libraries  to  the  APF  list.  Different-sized  programs  in  different  libraries  could 
cause  prog^  errors.  Reviews  to  identify  undocumented  and  duplicate 
APF-authorized  libraries  and  programs  were  not  performed  b^use  of  shortages 
of  system  programmers.  At  DIPC-Cleveland,  vacancies  existed  because  the 
einployees  m  those  positions  had  left  their  jobs  in  anticipation  of  the  upcoming 
migration  of  computer  operations  from  DIPC-Cleveland  to  DMC- 
Chambersburg.  DIPC-Cleveland  managers  stated  that  they  would  review  the 
problem  after  the  contractor  personnel  were  hired  and  trained  for  the  vacant 
system  programmer  positions.  Without  adequate  control  procedures,  users 
could  accidentally  or  intentionally  access,  modify,  or  destroy  information, 
programs,  or  other  sensitive  computer  resources.  Also,  program  errors  could 
result. 


APF  Library  Access.  Security  personnel  at  DIPC-Cleveland  had  not 
Meqimtely  limited  update  access  to  the  APF  libraries.  As  many  as  61  user 
identifications  (IDs)  (»uld  make  changes  to  APF  libraries  that  could  perform 
sensitive  tasks.  Security  personnel  sta^  that,  in  order  to  ensure  maintainability 
of  the  operating  system,  update  access  to  APF  libraries  was  given  to 
programmers  who  had  vacated  system  programming  positions,  as  well  as  their 
replacements.  To  ensure  system  integnty,  update  access  to  APF  libraries  must 


6 


Finding  A.  Operating  Systems 


be  limited  to  the  softw^e  specialist's  (that  is,  the  system  programmer's)  area  of 
responsibility,  as  stated  in  the  draft  DISA  WESTHEM  Policy  Letter  95-3, 
"Control  of  Access  to  Authorized  Program  Facility  (APF)  Library  Files." 


UserA^endor  Supervisor  Calls 


Although  supervisor  calls  provided  by  International  Business  Machines 
Coiporation  (IBM)  were  adequately  controlled,  user/vendor  SVCs  that  were 
installed  on  systems  at  DIPC-Cleveland,  DMC-Columbus,  DMC-Denver,  and 
DLA-DSDC  compromised  the  integrity  of  the  operating  systems  and  DFAS 
applications.  Specifically,  24  integrity  exposures  caused  by  user/vendor  SVCs 
existed  on  8  systems,  which  were  usm  by  DFAS  payroll  programs  and  other 
financial  applications.  System  programmers  secur^  many  previously  rqx)rted 
SVCs.  However,  program  complexities,  application  rehosting,  and  untimely 
scheduling  hindered  system  programmers'  reviews  and  reprogramming  of  Ae 
SVC  exposures.  Also,  DMC-Denver  did  not  act  on  revis^  recommendations 
from  the  auditors  when  the  auditors  determined  that  the  SVC  control  technique 
recommended  in  a  prior  audit  report  was  flawed.  When  the  prior  audit  was 
made,  embedded  passwords  in  SVCs  were  an  accepted  control  technique  within 
the  computer  industry.  However,  we  later  determine]  that  the  passwords  could 
be  extracted  from  the  SVC  by  knowledgeable  users.  The  apphcation  rehosting 
workload  had  decreased,  allowing  system  programmers  to  work  on  the  SVC 
exposures.  In  addition,  DISA  had  provided  good  guidance  for  identifying  SVC 
problems.  At  the  conclusion  of  our  fieldwork,  the  centers  were  implementating 
that  guidance.  Because  of  the  integrity  exposures,  any  knowledgeable  user 
could  bypass  normal  controls  on  the  operating  system  and  security  software  and 
could  add,  modify,  or  delete  system  data. 


Table  1  shows  the  system  integrity  exposures  caused  by  user/vrador  SVCs. 
Table  1.  System  Integrity  Exposures  Caused  by  User/Vendor  SVCs 


Organization 

Number  of 
Deficient 

SVCs 

Number  of 
Svstems 

System 

Integrity 

Exnosures 

DIPC-Cleveland 

1 

1 

DMC-Columbus 

3, 

4 

12 

DMC-Denver 

42 

2 

8 

DLA-DSDC 

2 

1 

Total 

11 

8 

24 

^New  deficiency  not  previously  reported. 
n)nly  one  of  these  SVCs  was  ptevioudy  rq)orted. 
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DIPC-Cleveland.  DIPC-Cleveland  had  corrected  all  of  the  SVC 
problems  previously  rqx>rted.  However,  a  new  integrity  exposure  existed  at 
DIPC-Cleveland  on  one  SVC  provided  with  a  DFAS  Denver  application.  For 
details,  see  the  discussion  below  of  previously  rq>orted  exposures  at 
DMC-Denver.  DMC-Denver  system  programmers  planned  to  provide 
DIPC-Cleveland  with  a  solution  for  the  problem  when  they  resolved  the  SVC 
integrity  exposure. 

DMC-Columbus.  Three  SVCs  installed  on  4  DMC-Columbus  systems 
caused  12  system  integrity  exposures.  However,  DLA-DSDC  was  responsible 
for  eliminating  these  integrity  exposures,  since  DLA-DSDC  provided  the 
operating  systems  to  DMC-Columbus.  System  programmers  at  DLA-DSDC 
were  reviewing  and  reprogramming  the  SVC  exposure  problems. 

DMC-Denver.  Eight  SVC  integrity  exposures  existed  on  the  two 
systems  examined  at  DMC-Denver.  Two  of  the  eight  were  rqxjrted  in  AFAA 
Project  No.  0195410,  "Data  Processing  Center  Operations  and  Security  at  the 
Air  Force  Accounting  and  Finance  Center  (AFAFC),"  August  5,  1991.  When 
these  weaknesses  were  brought  to  their  attention  by  the  auditors,  DMC-Denver 
promptly  corrected  four  additional  SVC  integrity  exposures  (not  among  the 
eight)  on  the  two  systems. 

Previously  Reported  Exposures.  Two  integrity  exposures  had 
been  previously  reported  but  still  exist^  because  DMC-Denver  had  not  acted 
upon  revis/^  recommendations  from  the  auditors  that  the  SVC  control  technique 
(&at  is,  embedded  passwords)  recommended  by  AFAA  was  flawed  and  should 
not  be  implemented.  When  Ae  prior  audit  was  made,  embedded  passwords  in 
SVCs  were  an  accepted  control  technique  within  the  computer  industry. 
However,  the  auditors  later  determined  that  the  passwords  could  be  extracts 
from  the  SVCs  by  knowledgeable  users.  Although  the  auditors  recommended 
other  corrective  actions  in  discussions  with  management,  DMC-Denver  limited 
its  corrective  actions  to  those  recommended  in  die  AFAA  report.  Eliminating 
the  two  SVC  exposures  r^uired  reprogramming  a  large  number  of  programs 
that  used  the  SVCs.  During  the  audit,  system  programmers  at  DMC-Denver 
began  reprogramming  some  of  those  programs. 

DMC-Denver  provided  the  same  SVC  to  DIPC-Cleveland  with  a  DFAS 
application,  thus  compromising  the  integrity  of  <me  system  at  DIPC-Cleveland. 
DMC-Denver  was  responsible  for  r^rogramming  the  ^plication  to  eliminate 
the  exposure  or  taking  other  corrective  action.  To  resolve  this  problem,  the 
IBM  Executive  Systems  Branch  at  DMC-Draver  will  likely  need  application 
programming  support  from  the  DFAS  Financial  Systems  Activity,  Defense  Joint 
Military  Pay  System  Software  Support  Division,  Denver,  Colorado. 


8 


Finding  A.  Operating  Systems 


Other  SVC  Exposures.  Four  integrity  exposures  resulted  from 
the  use  of  embedded  passwords  in  two  SVCs  installed  on  two  systems.  When 
the  AFAA  audit  was  performed,  the  use  of  embedded  passwords  by  SVCs  was 
accept^  (and  recommended  by  the  auditors)  as  being  an  effective  control 
techmque  for  guarding  system  integrity.  As  discuss^  above,  the  auditors 
subsequently  determine  Aat  the  use  of  embedded  passwords  in  SVCs  did  not 
safeguard  system  integrity  because  knowledgeable  users  could  extract  those 
passwords  from  the  SVCs.  Integrity  exposures  existed  on  the  two  SVCs 
because  DMC-Denver  did  not  develop  other  controls  recommended  by  the 
auditors  in  May  1994  and  on  previous  occasions.  Upgrading  system  software 
should  eliminate  the  four  integrity  exposures  caused  by  Aese  two  SVCs. 

During  our  audit,  DMC-Denver  managers  said  they  planned  to  eliminate  two 
other  SVC  exposures  by  replacing  the  software  that  used  the  SVC.  To  replace 
the  existing  software  that  caused  the  integrity  exposure,  DMC-Denver  had 
ordered  new  vendor  software  that  did  not  use  an  SVC.  However,  the  system 
integrity  was  still  compromised  because  the  SVC  had  not  been  deleted  from  the 
two  systems. 


DLA-DSDC.  DLA-DSDC  had  three  SVC  integrity  exposures, 
all  of  which  affected  DMC-Columbus  because  DLA-DSDC  provided  the 
operating  system  to  DMC-Columbus.  System  programmers  adequately 
reprogrammed  one  of  the  SVCs  and  were  evaluating  the  code  of  the  other  two 
SVCs.  If  needed,  the  Director  of  Security,  DISA-WESTHEM,  stated  that  he 
would  provide  contractors  to  assist  in  fixing  the  SVCs. 


Integrity  Guidelines 


The  DISA  WESTHEM  Defense  megacenters  and  information  processing  centers 
h^  not  fully  implemented  the  installation  integrity  guidelines  for  MVS 
operating  systems.  The  "DISA  WESTHEM:  Personnel  and  Security  MVS 
Security  Technical  Implementation  Standards,”  December  29,  1994,  gave 
system  programmers  and  security  personnel  good  guidance  on  MVS  integrity 
and  on  implementation  procedures  for  the  three  major  security  software 
packages.  In  its  DFAS  Security  Readiness  Review,  S^tember  7,  1994,  the 
DISA  Task  Force  stated  that  using  standards  and  procedures  was  one  of  the 
most  effective  methods  of  reducing  the  potential  for  integrity  exposures.  The 
DISA  Task  Force's  report  also  noted  that  the  standards  must  be  followed  and 
mforced.  The  installation  integrity  guidelines  had  not  been  fully  implemented 
b^use  the  original  guidelines  were  not  issued  until  August  29,  1994,  shortly 
before  we  began  our  audit.  For  that  reason,  we  limited  our  audit  to  evaluating 
the  adequacy  of  those  guidelines.  If  the  standards  are  not  fully  implemented, 
computer  systems  at  DISA  WESTHEM  may  continue  to  have  their  integrity 
compromise. 
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Recommendations,  Management  Comments, 
and  Audit  Response 


Revised  Recommendation.  Based  on  the  comments  received,  we  revised 
Recommradation  A.l.a.  to  be  consistent  with  the  alternative  action  proposed  by 
management. 

A.l.  We  recommend  that  the  Commander,  Defense  Information  Systems 
Agency,  Western  Hemisphere: 

a.  Rescind  the  draft  Defense  Information  Systems  Agency,  Western 
Hemisphere,  Policy  Letter  95-3,  "Control  of  Access  to  Authorized  Program 
Facility  (APF)  library  FUes,"  and  incorporate  its  requirements  in  the 
"DISA  WESTHEM  Personnel  and  Security:  MVS  Security  Technical 
Lnplementation  Standards." 

b.  Require  that  the  Director  of  Security: 

(1)  Provide  technical  assistance,  if  requested,  to  the  Defense 
Logistics  Agency,  Systems  Design  Center,  Columbus,  Ohio,  and  to  the 
Defense  Megacenter,  Denver,  Colorado,  to  solve  the  integrity  problems 
caused  by  supervisor  calls. 

(2)  Conduct  and  report  on  periodic  quality  a^urance  reviews 
on  the  Defense  megacenters'  compliance  with  "DISA  WESTHEM  Personnel 
and  Security:  l^S  Security  Technical  Implementation  Standards," 
December  29, 1994. 

Management  Comments.  The  DISA  partially  concurred  with 
Recommendation  A.l.a.  to  finalize  draft  Policy  Letter  95-3.  DISA  stated  that 
the  policy  letter  would  be  rescinded.  Its  requirements  would  be  incorporated  in 
the  next  release  of  the  "DISA  WESTHEM  Personnel  and  Security:  MVS 
Security  Technical  Implementation  Standards,"  which  was  scheduled  for  August 
1995.  Kftuiagement  concurred  with  Recommendation  A.l. b.(l)  to  provide 
technical  assistance  to  DLA-DSDC  and  DMC-D«iver.  Management  stated  that 
technical  assistance  in  securing  SVCs  was  provided  in  response  to  a  request 
from  DMC-Denver.  The  DISA  also  concurred  with  Recom¬ 
mendation  A.l.b.(2),  stating  that  DISA  WESTHEM  had  conducted  compliance 
reviews  at  16  Defense  megacenters  and  had  developed  a  followup  process  for 
taking  corrective  actions  and  reporting  and  tracking  those  actions.  Compliance 
inspections  will  be  conducted  during  FY  1996  without  prior  notice  to  the 
Defense  megacenters.  Also,  DISA  WESTHEM  can  provide  real-time 
surveillance  of  toe  Defense  megacenters. 

Audit  Response.  Except  in  one  respect,  management's  comments  (including 
toe  proposed  alternative  to  Recommendation  A.l.a.)  adequately  respond  to  toe 
recommendations  made.  We  revised  Recommendation  A.l.a.  to  be  consistent 
with  toe  proposed  alternative  of  incorporating  draft  policy  guidance  in  "DISA 
WESTHEM  Personnel  and  Security:  MVS  Security  Teclmical  Implementation 
Standards."  Managemoit  did  not  fully  respond  to  Recommendation  A.l.b.(l) 
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to  provide  necessary  technic^  assistance;  they  did  not  indicate  whether  they 
concurred  with  providing  technical  assistance  to  DLA-DSDC.  Therefore, 
additional  comments  are  requested  from  DISA  on  Recommendation  A.l.b.(l). 

A.2.  We  recommend  that  the  Director,  Defense  Information  Systems 
Agency,  Western  Hemisphere,  Defense  Information  Processing  Center, 
Clevelwd,  Ohio: 

a.  Direct  the  Chief,  Technical  Support,  to  review  all  authorized 
program  facility  libraries  and  programs  and  delete  obsolete  and 
undocumented  programs. 

b.  Direct  the  Automated  Information  System  Security  OfHcer  to 
review  the  access  rules  of  all  authorized  program  facility  libraries  and  limit 
update  access  to  authorized  program  facility  datasets  to  the  software 
specialist's  area  of  responsibility,  as  required  by  "DISA  WESTHEM 
Personnel  and  Security:  MVS  Security  Technical  Implementation 
Standards,"  revised  in  accordance  with  Recommendation  A.l.a.. 

Management  Comments.  The  DISA  concurred  with  both  recommendations. 
As  suggested  in  Recommendation  A.2.a.,  in  April  1995,  DISA  WESTHEM 
review^  all  APF  libraries  and  programs,  and  deleted  obsolete  and 
undocumented  programs.  In  response  to  Recommendation  A.2.b.  to  review 
APF  access  rules  and  limit  update  access,  management  stated  that  all  DISA 
WESTHEM  security  officers  will  be  required  to  review  the  next  release  of  the 
"DISA  WESTHEM  Personnel  and  Security:  MVS  Security  Technical 
Implementation  Standards,"  scheduled  for  release  in  August  1995. 

Audit  Response.  Management  commits  adequately  re^nded  to 
Recommendation  A.2.a.  to  delete  obsolete  and  undocumented  programs. 
However,  management  comments  did  not  ad^uately  respond  to 
Recommendation  A.2.b.  to  review  access  rules  and  limit  update  access  to  APF 
libraries  and  datasets  at  DIPC-Cleveland.  Requiring  DIPC-Cleveland  and  all 
other  DISA  WESTHEM  security  officers  to  review  the  next  release  of  the  MVS 
technical  implementation  standards  is  a  necessary  st^  in  furthering  compliance 
with  those  standards.  However,  when  we  recommended  that  access  rules  be 
reviewed,  we  were  referring  to  ^e  manner  in  which  access  was  defined  in  the 
security  software,  not  to  writtoi  access  rules  such  as  the  "DISA  WESTHEM 
Personnel  and  Security:  MVS  Security  Technical  Implementation  Standards." 
Also,  management's  comments  did  not  describe  the  actions  taken  or  plaimed  at 
DIPC-Cleveland  to  actually  limit  update  access  to  APF  datasets  to  the  system 
programme's  area  of  responsibility.  Therefore,  additional  comments  are 
requested  from  DISA  on  Recommendation  A.2.b. 

A.3.  We  reconunend  that  the  Conumnder,  Defense  Logistics  Agency, 
Systems  Design  Center,  require  the  Director,  Ihfonnation  Systems 
(Technology),  to: 

a.  Develop  and  implement  adequate  controls  over  su^rvisor  calls 
with  integrity  exposures  in  accordance  with  integrity  guidelines.  If 
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required,  tpfhiiipfll  assistance  in  implementing  these  controls  should  be 
requested  from  the  Director  of  Security,  Defense  Information  Systems 
Agency,  Western  Hemisphere. 

b.  Export  the  corrected  supervisor  calls  to  the  Defense  Megacenter, 
Columbus,  Ohio. 

Management  Comments.  The  Defense  Lx>gistics  Agency  did  not  Fesi>ond  to 
the  dr^  of  this  report  in  time  for  the  comments  to  be  included  in  this  final 
report.  The  comments  we  received  will  apply  to  the  final  report  unless  we 
receive  an  additional  response. 

A.4.  We  recommend  that  the  Director,  Defense  Information  ^  Systems 
Agency,  Western  Hemisphere,  Defense  Megacenter-Denver,  direct  the 
Chief,  IBM  Executive  Systems  Branch,  to: 

a.  Make  the  appropriate  changes  required  to  eliminate  the  integrity 
exposures  existing  on  the  four  supervisor  calls. 

b.  Request  appropriate  programming  assistance  from  the  Chief, 
Joint  Military  Pay  System  Software  Support  Division,  at  the  Defense 
Finance  and  Accounting  Service  Financial  Systems  Activity,  Denver, 
Colorado,  in  solving  the  problems  with  supervisor  calls  at  &e  Defense 
Megacenter,  Denver,  Colorado,  and  at  the  Defense  Information  Processing 
Center,  Cleveland,  Ohio. 

c.  Export  the  corrected  supervisor  call  to  the  Defense  Information 
Processing  Center,  Cleveland,  Ohio. 

Management  Comments.  The  DISA  concurr^  with  all  three 
recommendations,  stating  that  DMC-Daiver  was  prioritizing  the  systems  for 
making  the  clmges.  Management  stated,  "While  all  SVCs  are  being  reviewed, 
the  required  work  to  adequately  comply  with  the  recommendations  on  SVC 
[number  deleted],  we  estimate  a  completion  date  of  31  May  1996." 
Management  not^  that  some  corrective  actions  dep^d  on  the  availability  of 
support  from  DFAS  FSA  Denver.  DMC-Denver  stated  that  corrective  actions 
wUl  not  be  taken  with  respect  to  the  SVC  exposures  on  System  B  because  that 
system  will  be  eliminated  by  December  31,  1S^5. 

Audit  Response.  Management  comments  did  not  adequately  respond  to 
Recommendations  A.4.a.,  b.,  and  c.;  the  comments  were  incomplete  and 
vague.  Additional  management  comments  on  this  final  report  are  requested,  for 
the  reasons  stated  below. 

o  In  response  to  Recommendation  A.4.a.  concerning  the  four  SVCs  at 
DMC-Denver,  management  did  not  clearly  indicate  whether  corrective  actions 
would  be  completed  by  May  31,  1996,  on  the  one  SVC  identified  in  the 
comments  or  on  all  four  SVCs  identified  in  the  audit  recommendation.  DMC- 
Denver  officials  told  us  that  the  integrity  exposures  on  three  SVCs  identifi^  by 
the  audit  had  been  eliminated;  however,  the  e;^sure  caused  by  the  remaining 
SVC  will  not  be  eliminated  until  May  31,  1996.  In  addition,  management  did 


12 


Finding  A.  Operating  Systems 


not  provide  specific  actions  and  completion  dates  for  eliminating  the  integrity 
exposures  on  all  four  SVCs,  We  a^ree  with  management  that  corrective  action 
is  not  necessary  on  System  B,  since  it  will  soon  be  eliminated. 

0  Regarding  Recommendation  A.4.b.  to  r^uest  programming  assistance 
firom  DFAS  FSA  Denver,  although  DISA  noted  its  need  for  support  from  that 
organization,  DISA  did  not  indicate  whether  assistance  had  been  requested  or 
give  completion  dates. 

o  Management  comments  did  not  state  what  actions  were  planned  or 
taken,  or  give  related  completion  dates  on  Recommendation  A.4.c.  to  export  the 
corrected  SVC  to  DIPC-Cleveland. 


Management  Comments  Required 

Management  is  requested  to  comment  on  the  items  indicated  with  an  X  in 
Table  2. 


Table  2.  Management  Comments  Required  on  Finding  A. 


Recommendation 

Number 

Oreanization 

Concur/ 

Nonconcur 

Proposed 

Action 

Completion 

Date 

Related 

Issues 

A.l.b.(l) 

DISA 

X 

X 

X 

None 

A.2.b. 

DISA 

X 

X 

None 

A.4.a.,  b.,  c. 

DISA 

X 

X 

None 
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Finding  B.  Security  Software  and 
Environmental  Controls 

The  DIPC-Cleveland,  DMC-Columbus,  DMC-Denver,  and  DLA-DSDC 
had  significantly  improved  their  security  software  and  environmental 
controls.  However,  DMC-Columbus,  DMC-Denver,  and  DIPC- 
Cleveland  needed  to  take  additional  corrective  actions  on  6  of  36  prior 
audit  recommendations: 

o  DMC-Denver  did  not  have  effective  controls  over  bypass  label 
processing  (BLP)  and  the  use  of  one  special  privilege  attribute  of  the 
Computer  Associates,  Inc.,  TOP  SECRET  (CA-TOP  SECRET)  security 
sofiware.  This  occurred  because  of  a  technical  oversight  in  the  BLP 
control  technique  and  because  the  security  personnel  were  unfamiliar 
with  certain  aspects  of  the  special  privilege. 

o  At  DIPC-Cleveland,  sensitive  utilities  were  not  adequately 
controlled  because  of  personnel  shortages  and  implementation  problems. 

0  At  DIPC-Cleveland,  DMC-Columbus,  and  DMC-Denver, 
autoerase  and  erase-on-delete  features  had  not  been  activated  because  of 
the  adverse  impact  on  operations.  Although  requested  by  the  DISA 
WESTHEM  security  officer,  a  waiver  of  this  security  requirement  was 
still  under  review  by  the  Chief  Information  Officer,  DISA,  and  had  not 
been  granted. 

DFAS  Denver  also  needed  to  take  corrective  actions  to  reduce  the  risk  of 
water  damage  at  DMC-Denver.  The  IG,  DoD,  previously  recommended 
Aat  DMC-Denver  install  overhead  water  shutoff  valves.  However,  as  a 
tenant  at  DFAS  Denver,  DMC-Denver  was  not  re^nsible  for  making 
such  blading  modifications.  The  recomm^dation  was  redirected  to 
DFAS  Denver.  Corrective  action  by  DFAS  D«iver  was  delayed  because 
funding  was  not  immediately  available  and  the  work  had  to  be 
scheduled. 

By  improper  use  or  setup  of  CA-TOP  SECRET  and  CA-Access  Control 
Facility  2  (CA-ACF2)  security  software.  Defense  megacenters  increase 
the  risk  that  knowledgeable  users  may  gain  unauthorized  access  or 
perform  unauthorized  tasks.  Inadequate  environmental  controls  make 
computer  assets  at  DMC-Doiver,  valued  at  ovar  $40  million,  more 
vulnerjible  to  accidental  or  deliberate  damage  or  destruction. 


Security  Software  Function  and  Sununary  of  Results 


Rinction  of  Security  Software.  Security  software  is  used  to  prot^t  computer 
resources  such  as  files,  programs,  tapes,  database  definitions,  libraries,  readers, 
and  processing  capabilities.  The  security  software  used  by  DIPC-Cleveland  is 
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known  as  CA-ACF2.  DMC-Denver  used  CA-TOP  SECRET  security  software. 
DLA-DSDC  and  DMC-Columbus  us^  IBM  software  known  as  Resource 
Access  Control  Facility  (RACF). 

CA-TOP  SECRET,  CA-ACF2,  and  RACF  security  software  offer  a  variety  of 
control  options  and  features  to  enhance  system  security.  The  control  options 
and  features  of  the  security  software  should  be  set  for  the  level  of  security 
needed.  The  level  of  protection  achieved  dq)ends  on  how  well  the  options  and 
features  of  CA-TOP  SECRET,  CA-ACF2,  and  RACF  are  administered. 

Summary  of  Audit  Results.  In  prior  audits,  the  AFAA  and  the  IG,  DoD, 
identified  computer  security  problems  at  DLA-DSDC  and  DISA  WESTHEM 
organizations.  The  problems  were  caused  by  inadequate  controls  over  security 
software  and  weaknesses  in  environmental  controls  (Appendixes  C  and  D). 
Some  of  these  management  control  wealmesses  were  materi^  in  nature. 

This  followup  audit  determined  that  30  of  the  36  prior  audit  recommendations 
made  to  improve  security  software  and  environmental  controls  had  been 
adequately  implemented.  DLA-DSDC  implemented  all  seven  recommendations 
made  to  them.  All  but  6  of  the  29  recommmdations  addressed  to 
DIPC-Cleveland,  DMC-Columbus,  and  DMC-Denver  had  been  adequately 
implemented.  Though  still  in  process,  the  corrective  actions  planned  on  three  of 
the  six  recommenthtions  were  adequate.  To  implemrat  our  prior  audit 
recommendations,  corrective  actions  were  also  required  from  DFAS  Denver  and 
DFAS  FSA  Denver.  Details  of  our  findings  are  presented  below  and  in 
Appendix  D. 


Security  Software 


As  detailed  in  Part  I  (Background)  of  the  report,  as  the  result  of  heightened 
concern  over  computer  security,  the  Assistant  Secretary  of  Defense  (Command, 
Control,  Communications  and  Intelligence)  required  the  Director,  DISA,  to 
establish  a  DISA  Task  Force  to  improve  information  systems  security  at  all 
Defense  megacenters  and  legacy  sites.  One  objective  of  the  DISA  Task  Force 
was  to  review  and  implement  prior  audit  recommradations  related  to  computer 
security  at  those  sites.  The  DISA  Task  Force  did  not  specifically  address  the 
recommendations  made  to  DMC-Denver  in  the  AFAA  report  that  is  included  in 
the  scope  of  this  followup  audit  (App^dix  C).  However,  many  of  the  problem 
areas  discussed  in  the  AFAA  r^rt  were  cov^ed  by  the  DISA  Task  Force's 
review,  which  had  a  much  larger  scope  than  the  previous  audits.  When  the 
DISA  Defense  megacenters  and  legacy  sites  implement  all  of  the  DISA  Task 
Force's  recommendations,  overall  physical  and  computer  security  wiU  be  much 
improved.  We  commrad  DISA  for  the  formation  of  the  DISA  Task  Force  to 
redress  the  problems  identified. 

Despite  the  significant  strides  made  by  DISA  WESTHEM  organizations  in 
improving  controls  over  security  software,  this  followup  audit  determined  that 
additional  corrective  actions  were  required,  as  discussed  below. 
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Bypass  Label  Processing  (BLI^.  DMC-Denver  had  implemented  reasonable 
BLP  control.  However,  in  implementing  the  selected  control  technique, 
DMC-Denver  allowed  more  access  than  intended  because  of  a  technical 
oversight.  This  exposure  existed  for  21  user  IDs  and  19  batch  IDs.  The  batch 
IDs  are  production  applications  that  need  BLP.  BLP  is  used  when  nonstandard 
tapes  are  sent  to  a  ^ta  center  for  processing,  and  tape  security  has  to  be 
bypassed.  Because  of  the  technical  ovo’sight,  £ese  user  IDs  and  batch  IDs  had 
read  and  write  access  to  all  files,  not  just  tape  tiles.  A^r  we  notified  the 
DMC-Denver  Automated  Information  System  (AIS)  Security  Officer,  he 
developed  a  different  approach  that  will  resolve  the  exposure.  DMC-Denver 
security  personnel  were  making  the  correction.  Instead  of  using  a  special  ID  to 
control  BLP,  the  AIS  Security  Officer  will  use  a  security  protile.  The  DISA 
Task  Force  dso  identitied  a  BLP  problem  related  to  tiie  "ALL”  record  and  was 
monitoring  the  corrective  actions  t^en. 

Special  Privilege  Attributes.  Excq>t  for  one  attribute,  DMC-Denver 
controlled  the  use  of  special  privilege  attributes.  The  CA-TOP  SECRET 
NOSUBCHK  attribute  u^  in  conjunction  with  one  major  application  presented 
a  security  exposure.  NOSUBCHK  allows  one  user  to  use  another  user's  ID 
without  permission.  We  discussed  this  security  exposure  with  the  AIS  Security 
Officer  and  technical  support  personnel.  The  AIS  Security  Officer  was  unaware 
of  this  exposure.  Elinunating  this  exposure  will  require  action  by  DFAS  FSA 
Denver  and  by  security  personnel  at  DMC-Denver. 

Autoerase.  The  autoerase  and  eiase-on-delete  features  at  DMC-Columbus, 
DMC-Denver,  and  DIPC-Cleveland  were  not  activated  because  doing  so  would 
have  adversely  affected  operational  efficiency.  DoD  Directive  5200.28, 
"Security  Requirements  for  Automated  Information  Systems  (AIS)," 
March  1988,  requires  all  AIS  that  process  sensitive  unclassified  information 
requiring  controlled  access  protection  to  have  C2  security  classifications.  For 
C2  controlled  access  protection,  DoD  Standard  5200.28,  "DoD  Trusted 
Computer  System  Evaluation  Criteria,"  December  1985,  requires  that: 

o  all  computer  files  be  protected, 

o  residual  information  be  erased  from  on-line  disk  devices,  and 

o  jobs  entered  through  job  entry  subsystem  2  (JES2)  be  checked  for  a 
valid  logon  ID  and  password. 

On  February  3,  1995,  the  Seciuity  Officer  at  DISA  WESTHEM  asked  the  Chief 
Information  Officer,  DISA,  to  waive  the  requirement  for  the  erasure  of  residual 
information.  DISA  WESTHEM  documented  two  tests  that  showed  the 
degradation  of  service  that  occurred  when  autoerase  and  erase-on-delete  were 
activated.  DoD  Directive  5200.28  allows  exceptions  to  C2  security 
requirements  wh«i  computer  operations  are  adversely  affected.  However,  the 
waiver  was  still  under  review  by  the  Chief  Information  Officer,  DISA,  and  had 
not  been  granted.  Because  of  me  adverse  impact  on  operations,  we  agree  that 
this  C2  requirement  should  be  waived. 
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Sensitive  Utilities.  DIPC-Cleveland  had  not  adequately  controlled  its  sensitive 
utility  programs  due  to  personnel  shortages  and  technical  problems  in 
controlling  the  utilities  with  the  CA-ACF2  security  software.  Because 
DIPC-Cleveland 's  work  load  was  scheduled  to  move  to  DMC-Chambersburg  in 
August  1995,  numerous  personnel  had  transferred  or  taken  new  jobs. 
Controlling  sensitive  utilities  through  the  CA-ACF2  protected  program  list  also 
presented  certain  technical  limitations.  Certain  users  require  access  to  some  but 
not  all  sensitive  utilities.  However,  user  access  cannot  be  restricted  only  to 
selected  utilities  using  the  CA-ACI^  protected  program  list.  If  a  user  has 
access  to  that  list,  thoi  the  user  has  access  to  all  utilities  in  the  list.  In  order  to 
be  selective,  utility  programs  can  also  be  protected  by  moving  them  to  a 
separate  library  and  writing  i^ropriate  access  rules.  Since  some  personnel 
n^  access  only  to  selected  utilities,  a  combination  of  special  access  rules  and 
the  protected  program  list  would  have  to  be  used.  The  DISA  Task  Force  also 
stat^  that  sensitive  utilities  had  not  been  controlled. 


Environmental  Controls 


At  DMC-Denven  overhead  water  shutoff  valves  had  not  been  installed  in  the 
computer  r(wm.^  As  a  tenant  organization  at  DFAS  Denver,  DMC-Denver 
could  not  install  the  overhead  shutoff  valves  because  doing  so  was  the 
responsibility  of  DFAS  Denver.  Accordingly,  we  redirected  the  audit 
recommendation  to  DFAS  Denver.  DFAS  Denver  concurred  and  planned  to 
install  the  overhead  water  shutoff  valves  in  FY  1995.  Installation  of  the  vdves 
was  delayed  while  obtaining  funds  and  scheduling  tiie  building  modiftcations. 
Until  the  overhead  water  shutoff  valves  are  install^  at  DMC-Denver,  computer 
assets  valued  at  over  $40  million  are  more  vulnerable  to  accidental  or  deliberate 
damage  or  destruction. 


Summary 


Because  security  software  was  not  properly  implemented,  the  DIPC  and  DMC 
systems  were  subject  to  increased  risk  that  knowledgeable  users  might  gain 
unauthorized  access  and  perform  unauthorized  tasks.  Computer  assets  valu^  at 
over  $40  million  at  DMC-Denver  were  exposed  to  increased  risk  of  damage  or 
destruction.  DISA  WESTHEM,  DMC-Denver,  DIPC-Cleveland,  and  DFAS 
Denver  had  substantially  improved  computer  security.  Management  needed  to 
resolve  these  problems  previously  identified. 


^In  Recommendation  D.l.  of  Report  No,  94-060,  "GMieral  Controls  for  Computer 
Systems  at  the  Information  Processing  Craters  of  the  Defense  Information  Services 
Organization,"  March  18,  1994,  the  IG,  DoD,  recommended  that  DMC-Denver  install 
those  valves.  Heat  detectors  were  also  recommended  for  DMC-Denver.  However, 
based  on  the  DISA  Task  Force's  review  at  DMC-Denver,  we  are  no  longer  making  that 
recommendation  because  the  heat  detectors  would  be  of  limited  value. 
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Recommendations,  Management  Comments, 
and  Audit  Response 


B.l.  We  recommend  that  the  Director,  Defense  Information  Systems 
Agency,  Western  Hemisphere,  Defense  Megacenter,  Denver,  Colorado, 
direct  the  Automated  Information  System  Security  Offtcer  to: 

a.  Implement  bypass  label  processing  control  that  limits  access  to 
tape  nies. 


b.  Remove  the  NOSUBCHK  special  privilege  attribute  from  systm 
software  ftiat  supports  Defense  Finance  and  Accounting  Service 
applications. 

Management  Comments.  The  DISA  concurred  with  both  recommen^tions, 
stating  that  bypass  label  processing  was  reviewed  and  corrective  action  was 
completed  in  April  1995.  After  certain  changes  are  made  in  vendor  software, 
DISA  will  remove  the  NOSUBCHK  attribute  from  system  software 

supporting  DFAS  applications  by  December  1995. 

B.2.  We  recommend  that  the  Director,  Defense  Finance  and  Accounting 
Service,  Denver  Center,  require  the  Director,  Directorate  of  Support 
Services,  at  the  Defense  Finance  and  Accounting  Service,  Denver  Center,  to 
install  overhead  shutoff  valves  in  the  computer  room  at  the  Defense 
Megacenter,  Denver,  Colorado. 

Management  Comments.  The  DFAS  concurred,  stating  that  contracting 
actions  for  the  design  and  installation  of  the  overhead  shutoff  valves  should  be 
completed  by  March  1997. 

B.3.  We  recommend  that  the  Director,  Defense  Finance  and  Accounting 
Service,  Financial  Systems  Activity,  Denver,  Colorado,  modify  the 
application  code  to  aUow  the  removal  of  the  NOSUBCHK  special  privilege 
attribute. 

Management  Comments.  The  DFAS  concurred,  stating  that  the  Integrated 
Data  Management  System  programs  using  the  NOSUBCIK  attribute  had  been 
identified.  The  programming  effort  to  remove  the  NOSUBCHK  attribute  had 
been  tested.  We  were  told  that  corrective  actions  were  completed  on 
May  1,  1995. 

B.4.  We  recommend  that  the  Director,  Defense  Information  Systems 
Agency,  Western  Hemisphere,  Defense  Information  Processing  Center, 
Cleveland,  Ohio,  direct  the  Automated  Information  System  Security 
Officer  to  control  sensitive  utilities  by  implementing  the  protected  program 
list  and  the  special  access  rules  feature  of  Computer  Associates,  Lie.,  Access 
Control  Facility  2  security  software. 

Management  Comments.  The  DISA  concurred,  stating  that  the  "DISA 
WESTHEM  Personnel  and  Security:  MVS  Security  Technical  Implementation 
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Standards,"  published  in  December  1994,  explains  how  to  secure  sensitive 
utilities  for  each  security  control  product.  These  standards  were  distributed  to 
each  Defense  megacenter  for  implementation. 

Audit  Response.  Management  comments  did  not  fully  respond  to  the 
recommendation.  In  publishing  the  new  standmds,  DISA  WESTHEM 
established  excellent  written  criteria  for  each  Defense  megacenter  to  follow  in 
securing  sensitive  utilities.  However,  managemrat's  comments  did  not  give 
actions  completed  or  plaimed  and  relat^  completion  dates  for  implementing  the 
DISA  WESTHEM  standards  at  DIPC-Cleveland.  Our  audit  showed  that 
weaknesses  existed  in  the  controls  over  sensitive  utilities  at  DIPC-Cleveland. 
Additional  comments  are  requested  from  DISA  on  Recommendation  B.4. 

B.5.  We  recommend  that  the  Chief  Fufoimation  Officer,  Defense 
Lifomiation  Systems  Agency,  approve  the  request  from  the  Security 
Officer  at  the  Defense  formation  Systems  Agency,  Western  Hemisphere, 
to  waive  the  C2  requirement  for  autoerase  and  erase-on-delete  at  all 
Defense  megacenters. 

Management  Comments.  The  DISA  partially  concurred  with  the 
recommendation  because  management  was  exploring  alternatives  to  waiving  the 
C2  r^uirements  for  autoerase  and  erase-on-delete.  The  DISA  WESTHEM 
security  office  will  provide  its  action  plan  to  DISA  by  June  30,  1995. 

Audit  Response.  We  applaud  management's  efforts  to  fully  implement  the 
C2  security  requirements  of  DoD  Directive  5200.28.  DISA  should  provide 
additional  comments  describing  plaimed  actions,  including  alternatives,  and 
should  give  estimated  completion  dates. 


Management  Comments  Required 


Management  is  requested  to  comment  on  the  items  indicated  with  an  X  in 
Table  3. 


Table  3.  Management  Comments  Required  on  Finding  B. 


Recommendation 

Concur/ 

Proposed 

Completion 

Related 

Number 

Nonconcur 

Action 

Date 

B.4. 

DISA 

X 

X 

None 

B.5. 

DISA 

X 

X 

X 

None 
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The  DMC-Columbus,  DLA-DSDC,  and  DISA  WESTHEM  had  made 
significant  progress  in  strengthening  management  controls.  However,  those 
organizations  still  needed  to  correct  8  of  16  control  weaknesses  identified  in 
prior  audits. 

o  The  DMC-Columbus  did  not  perform  required  recertification  reviews 
of  its  computer  systems. 

o  The  DLA-DSDC  had  not  developed  or  implemented  formal  procedures 
for  controlling  ch^mges  to  the  operating  system. 

oThe  DISA  WESTHEM  had  not  fiilly  developed  the  recommended 
procedures  related  to  controlling  contractors  who  need^  system  access  at  the 
Defense  megacenters,  automat^  data  processing  (ADP)  equipment  contracts, 
and  abnormal  endings  (ABENDS)  to  computer  operations. 

Organizational  realignments  and  higher  priorities  affecting  DMC-Columbus  and 
DISA  WESTHEM  caused  delays  in  meeting  the  requirements  of  prior 
recommendations.  DLA-DSDC  did  not  have  adequate  personnel  resources  with 
subject-matter  expertise  available  to  develop  proc^ures  for  controlling  changes 
to  operating  systems.  The  Director,  DISA  WESTHEM,  relied  on  individual 
computer  centers  to  develop  quality  assurance  programs  for  the  oversight  of 
ADP  equipment  contracts  and  ABQ^DS;  however,  ad^uate  corrective  action 
had  not  been  taken  at  the  sites  we  reviewed.  Unless  strict  management  controls 
are  implemented,  application  and  operating  system  integrity  may  be 
compromised. 


Required  Controls  and  Sununary  of  Results 


Required  Management  Controls.  To  oihance  the  security  of  operating  systems, 
management  controls  should  include  sensitivity  ratings  and  background  investigations 
for  system  programmers,  management  of  their  programming  functions,  a  change 
control  system,  and  off-site  maintaiance  of  operating  system  software.  Strict 
management  controls  are  needed  to  oisure  that  program  maintenance  responsibilities 
are  properly  assigned,  tiiat  programmer  positions  have  the  proper  sensitivity 
designations,  that  change  control  procedures  are  consistent  and  properly  applied,  and 
that  a  backup  of  tiie  operating  system  software  is  stored  off-site. 

Summary  of  Audit  Results.  Prior  audits  by  the  AFAA  and  the  IG,  DoD,  identified 
computer  security  problems  at  DLA-DSDC  and  the  three  DISA  WESTHEM 
organizations  tiiat  occurred  because  of  inadequate  management  controls  (Appendixes  C 
and  D).  Some  of  tiiese  management  control  weaknesses  were  material  in  nature,  but 
had  since  been  corrected. 

This  followup  audit  determined  that  DISA  WESTHEM,  DLA-DSDC, 
DMC-Columbus,  and  DMC-Denver  had  adequately  implemented  8  of  the  16  prior 
audit  recommendations  made  to  improve  controls  over  system  programmers  and  other 
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general  controls.  DMC-Denver  had  adequately  implemented  all  of  the  prior 
recommendations.  However,  additional  corrective  actions  were  r^uired  by  DISA 
WESTHEM  organizations  and  DLA-DSDC  to  ad^uately  implement  eight 
recommendations  related  to  controls  over  contractor  oversight,  recertification  reviews, 
quality  assurance  programs,  and  change  control  procedures.  Though  still  in  process, 
Ae  corrective  action  plann^  on  one  of  those  eight  recommendations  was  considered 
adequate.  Details  of  our  findings  are  presented  below  and  in  Appendix  D. 


Recertification  Review 


The  DMC-Columbus  had  not  performed  the  recertification  reviews  of  the 
organization's  computer  systems  required  by  Office  of  Management  and  Budget 
Circular  No.  A-130,  "Management  of  Federal  Information  Resources," 
December  1985.  Periodic  recertification  reviews  are  an  important  means  of  ensuring 
that  ad^uate  security  measures  are  in  place  on  computer  systems.  This  was  especially 
true  within  DISA  WESTHEM  because  computer  operations  at  the  legacy  sites  were 
migrating  to  the  Defense  megacenters.  This  condition  had  existed  since  1987  and  was 
last  reported  in  IG,  DoD,  Report  No.  94-060,  "General  Controls  for  Computer 
Systems  at  the  Information  Processing  Centers  of  the  Defense  Information  Services 
Organization,"  March  18,  1994.  A  similar  finding  was  reported  in  IG,  DoD,  Report 
No.  89-058,  "Management  of  Access  Controls  to  Computers  at  the  Defense  Logistics 
Agency,"  March  14,  1989.  The  Office  of  Management  and  Budget  guidance  states, 
"Agencies  shall  conduct  periodic  audits  or  reviews  of  sensitive  applications  and 
recertilfy  the  adequacy  of  security  safeguards.  Audits  or  reviews  and  recertifications 
shall  be  performed  at  least  every  three  years."  DoD  Directive  5200.28,  "Security 
Requirements  for  Automated  Information  Systems  (AIS),"  March  1988,  requires  the 
analysis  and  selection  of  appropriate,  cost-effective  security  measures  to  achieve  and 
maintain  a  minimum  level  of  protection. 

Management  acknowledged  the  r^uirement;  however,  the  recertification  review  was 
not  performed  because  the  priori^  assign^  was  not  high  raough  due  to  system 
migrations  and  organization  realignments  that  were  ta^g  place.  Since  these 
significant  changes  affected  the  securi^  posture  of  the  automated  information  systems 
at  DMC-Columbus,  an  interim  authority  to  operate  for  an  unspecified  period  of  time 
was  issued  by  the  appointed  Designated  Approving  Authority,  the  Director,  Defense 
Information  Services  Organization  (now  DISA  WESTHEM).  The  interim  authority  to 
operate  is  not  a  waiver  of  the  requirement  for  recertification;  however,  DISA 
Instruction  630-230-19,  "Security  R^uirements  for  Automated  Information  Systems 
(AIS),"  August  1991,  states  that  an  interim  authority  to  0|«rate  can  be  granted  for  a 
fixed  period  of  time  if  the  Designated  Approving  Authority  is  willing  to  accept  aU 
risks.  While  continuing  the  recertification  process,  the  interim  authority  to  o^rate 
permits  the  activity  to  meet  its  operational  mission  requirements  while  improving  its 
AIS  security  posture. 

Unless  the  required  recertification  review  is  performed  and  accepted,  management  is 
not  assured  that  die  level  of  risk  has  be^  adequately  defin^  or  reduc^  to  an 
accept^le  level  for  operational  requirements. 
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Change  Control  Procedures 


Formd,  written  procedures  controlling  changes  to  the  Multiple  Virtual  Storage 
operating  system  had  not  been  developed  or  implemented  by  DLA-DSDC,  as 
previously  recommended.  As  the  only  central  design  activity  for  DLA,  the  DLA- 
DSDC^  Office  of  Computer  Systems  Support  is  responsible  for  establishing  and 
maintaining  an  ADP  operating  environm^t  tiiat  supports  DLA-DSDC  and  its 
fee-for-service  customers. 

Corrective  action  on  this  recommendation  was  initially  delayed  due  to  the  unavailability 
of  resources  with  subject-matter  expertise  appropriate  for  the  project.  However,  the 
Commander,  DLA-DSDC,  recogni^  the  immediate  need  to  improve  the  change 
control  proc^ures  for  operating  system  maintenance  and  elevated  die  priority  placed 
on  the  project.  As  a  result,  the  "DLA-DSDC  Configuration  Management  Release 
Procedure"  document  is  currently  being  prepared. 

Since  any  software  change  can  have  dramatic  and  unexpected  effects,  changes  must  be 
properly  defined,  plann^,  coordinated,  tested,  and  implemented.  Improper  control  of 
operating  system  changes  could  allow  the  indoduction  of  unauthorL^  or  inaccurate 
computer  programs  that  could  compromise  the  integrity  of  the  operating  system. 


Contractor  Oversight  and  Control 


DISA  WESTHEM  had  not  finalized  guidance  for  control  and  oversight  of  contractor 
perOTnnel  requiring  system  access  at  the  Defense  megacenters.  A  DISA  WESTHEM 
Policy  Letter  95-4,  "Security  Guidwce  for  DISA  WKTHEM  Automated  Information 
System  (AIS)  Contracts,"  on  security  issues  for  AIS  contractors,  was  being  prepared. 
However,  corrective  action  will  not  be  complete  until  the  guidelines  are  ^alized  and 
implemented  at  the  DISA  WESTHEM  Defense  megacenters.  The  delay  was  attributed 
to  continued  realignmmts  at  DISA  WESTHEM. 

To  protect  programs  and  data  from  improper  changes,  direct  contractor  access  to  the 
operating  system  and  system  software  must  be  restricted  and  fully  documented. 


Quality  Assurance  Programs 


Abnormal  E^^gs  to  Computer  Operations.  The  Commander,  DISA  WHESTHEM, 
had  not  established  an  in-house  (^uklity  assurance  program  to  track,  analyze,  and 
prevent  ABENDS  due  to  repetitive  causes.  Rafter  than  establishing  a  DiSA 
WESTHEM  procedure,  the  Commander,  DISA  WESTHEM,  relied  on  the  computer 
centers  to  implement  fte  recommendation  at  their  respective  sites.  Some  corrective 
^tions  were  taken  at  fte  individual  computer  centers.  However,  establishing  and 
implementing  a  DISA  WESTHEM  proc^ure  would  help  «isure  that  all  Defense 
megacenters  followed  fte  required  control  procedures. 
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Without  effective  controls  oyer  ABENDS,  DISA  WESTHEM  will  continue  to  incur 
unnecessary  system  downtime,  re^nse  time  will  be  increased,  and  production 
schedules  will  be  missed. 


Automated  Data  Processing  Equipment  Maintenance.  The  Commander,  DISA 
WESTHEM,  had  not  established  an  in-house  quality  assurance  program  oyer  the 
maintenance  performed  under  ADP  equipment  contracts.  This  was  recommended  to 
make  sure  that  preyentive  and  remedial  maintenance  services  were: 

o  scheduled  and  approyed  in  adyance  by  DISA  WESTHEM  managers, 

o  adequately  documented  whoi  provided, 

o  verified  to  contract  terms  before  payment,  and 

o  certified  as  received  only  when  there  was  evidence  that  the  services  were 
actually  received. 

Instead  of  issuing  a  DISA  WESTHEM  procedure,  the  Commander,  DISA  WESTHEM, 
relied  on  the  computer  centers  to  implement  the  recommendation.  Some  corrective 
action  was  taken  by  those  computer  centers.  However,  establishing  and  implementing 
a  DISA  WESTHEM  procedure  would  ensure  that  all  Defense  megacenters  followed  the 
required  control  procedures.  If  vendor  maintenance  services  are  not  adequately  or 
effectively  monitored,  the  Government  can  incur  unnecessary  costs. 


Recommendations)  Management  Comments, 
and  Audit  Response 

C.l.  We  reconunend  that  the  Conunander,  Defense  Information  Systems  Agency, 
Western  Hemisphere: 

a.  Direct  the  Director,  Defense  Information  Systems  Agency,  Defense 
Megacenter,  Columbus,  Ohio,  to  cnmplete  by  July  1995  the  recertincation  review 
of  &e  organization's  c(nnputer  systems,  as  required  by  the  Office  of  Management 
and  Budget  Circular  No.  A-130. 

b.  Finalize  the  Defense  Liformation  Systems  Agency,  Western  Hemisphere, 
Policy  Letter  95-4,  "Security  Guidance  for  DISA  VilESTHEM  Automated 
Liformation  System  (AIS)  Contracts." 

c.  Establish  an  in-house  quality  assurance  program  to  track  and  analyze 
the  causes  of  abnormal  endings  to  computer  operations  and  prevent  abnormal 
endings  due  to  repetitive  causes. 

d.  Establish  an  in-house  quality  assurance  program  over  the  maintenance 
performed  under  automated  data  processing  equipment  contracts.  The  procedure 
should  require: 
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(1)  Contracting  personnel  to  schedule  and  approye  preyentive 
maintenance  in  adyance.  Both  suggested  and  approyed  schedules  should  be 
documented  in  the  contract  files  by  the  contracting  personnel. 

(2)  Computer  operators  at  the  Defense  Information  Systems  Agency, 
Western  Honisphere,  Defense  megacenters  to  maintain  adequate  documentation 
on  actual  preyentiye  and  remedial  sendees  performed. 

(3)  Contracting  personnel  to  yerify,  before  authorizing  payments  to 
yendors,  that  the  billings  by  yendors  (including  appropriate  credits)  for  preyentiye 
and  remedial  maintenance  are  prepared  in  accordance  with  contract  terms. 

(4)  Managers  at  the  Defense  Information  Systems  Agency,  Western 
Hemisphere,  to  certify  that  they  receiyed  preyentiye  maintenance  or  remedial 
maintenance  sendees  based  on  eyidence  that  ttie  services  were  receiyed. 

Management  Comments.  The  DISA  concurred  with  Recommendations  C.l.a.  and 
C.l.c.  stating  tiiat  the  recertification  review  at  DMC-Columbus  will  be  completed  by 
July  1995,  and  an  in-house  procedure  for  controlling  ABENDS  through  quarterly 
analyses  is  being  prepared  and  should  be  completed  by  October  1996. 

Management  partially  concurred  with  Recommendation  C.l.b.  to  finalize  policy 
guidance  on  security  for  AIS  contracts.  As  an  alternative,  the  guidance  in  the  policy 
letter  will  be  incorporated  into  security  procedures  by  August  1995. 

DISA  concurred  with  Recommendation  C.l.d.,  stating  that  corrective  actions  were 
implemented  on  February  17,  1995,  in  re^nse  to  fmdings  reported  in  IG,  DoD, 
Report  No.  94-060,  "Gener^  Controls  for  Computer  Systems  at  the  Information 
Processing  Centers  of  the  Defense  Information  Services  Organization,”  March  18, 
1994.  Management  stated,  "All  DMCs  have  the  corrective  action  and  are  to  be 
implementing  the  procedures  to  establish  an  in-house  quality  assurance  program  over 
the  maintenance  performed  under  ADPE  contracts.  This  corrective  action  will  be 
included  in  tiie  comprehensive  internal  management  control  program  (IMCP)  package 
DISA  WESTHEM  is  developing  for  all  assessable  units.  Estimated  completion  date  of 
the  DISA  WESTHEM  IMCP,  which  will  incorporate  the  quality  assurance  program,  is 
November  1995." 

Audit  Response.  Management  comments  adequately  responded  to  all  but  two 
recommendations.  Management  did  not  identify  Ae  specific  security  procedures  that 
would,  as  an  alternative  to  Recommendation  C.l.b.,  be  revised  to  incorporate  security 
guidance  on  AIS  contracts. 

Management  comments  on  Recommendation  C.l.d.,  related  to  contract  maintenance  on 
ADP  equipment,  did  not  clearly  describe  the  corrective  actions  talsn  or  planned  and 
give  completion  dates.  Managemoit's  reference  to  the  Defense  megacenters' 
implementation  of  a  procedure  for  the  quali^  assurance  program  did  not  clearly  explain 
what  that  procedure  required  or  what  organizational  level  issued  the  procedure.  We  are 
concerned  because  the  absence  of  a  procedure  applicable  to  all  DISA  WESTHEM 
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organizations  may  result  in  adequate  controls  not  being  implemented  at  all  Defense 
megacraters.  Adequate  corrective  actions  had  not  bran  takra  when  management 
previously  relied  on  individual  organizations  to  implement  this  recommendation. 
Addition^  comments  are  requested  from  DISA  on  Recommendation  C.l.b.  and  d. 

C.2.  We  recommend  that  the  Commander,  Defense  Logistics  Agency,  Systems 
Design  Center,  finalize  procedures  for  change  management: 

a.  To  control  the  processing  of  all  changes  to  the  Multiple  Virtual  Storage 
operating  system  at  the  Defense  Logistics  Agency,  Systems  Design  Center,  and 

b.  To  control  the  export  of  these  changes  to  their  customers. 

Management  Comments.  The  Defense  Logistics  Agency  did  not  respond  to  the  draft 
of  this  report  in  time  for  the  comments  to  be  included  in  this  final  report.  The 
comments  we  received  will  apply  to  the  final  report  unless  we  receive  an  additional 
response. 


Management  Comments  Required 

Management  is  requested  to  comment  on  the  items  indicated  with  an  X  in  Table  4. 

Table  4.  Management  Comments  Required  on  finding  C. 

Recommoidation  Concur/  Proposed  Completion  Related 

Number  Orpanixation  Nonconcur  Action  Date  Issues 

C.l.b.,  d.  DISA  X  X  None 
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Appendix  A.  Scope  and  Methodology 

SIcope  and  Methodology 


Methodology.  We  examined  (grating  system  features  that  can  affect  the 
integrity  of  operating  system  and  security  software.  Those  operating  system 
features  were  the  authorized  program  facility;  supervisor  calls;  the  time  share 
option;  the  program  properties  table;  the  job  entry  subsystem  2;  and  sensitive 
utilities.  We  also  examined  the  implementation  of  the  CA-TOP  SECRET, 
CA-ACF2,  and  RACE  security  software.  The  other  general  controls  examined 
included  controls  over: 

o  sensitive  programmer  positions, 

o  changes  to  operating  system  software  and  user  passwords, 

o  physical  security,  and 

o  the  efficiency  of  computer  operations. 

Scope  Limitations.  As  detailed  in  Appendix  D,  we  did  not  evaluate  the 
corrective  actions  taken  in  response  to  24  recommendations  made  in  IG,  DoD, 
Reports  No.  93-002  and  No.  94-065  to  the  MCCTA,  to  DIPC-Indianapolis,  and 
to  DIPC-Kansas  City.  The  work  load  of  those  three  organizations  was 
migrating  to  DMC-Denver  and  DMC-St.  Louis  during  the  audit.  Therefore,  we 
plan  a  separate  followup  audit  at  the  two  Defense  megacenters  after  the  work 
load  migrations  are  completed. 

Computer-Processed  Data  Used.  To  achieve  the  audit  objectives,  we  relied  on 
computer-processed  data  in  the  operating  system  libraries  and  the  security 
software  of  each  organization.  We  used  Computer  Associates,  Inc.,  EXAMINE 
(CA-EXAMINE)  auditing  software  to  extract  data  directly  from  computer 
memory  and  operating  system  libraries.  The  CA-EXAMINE  software  program 
audits  Multiple  Virtiid  Storage  operating  systems.  We  used  automated  and 
manual  techniques  to  analyze  system  data.  For  example,  to  test  security  rules 
and  features,  we  used  the  audit  features  of  three  security  software  packages: 
CA-TOP  SECRET,  CA-ACF2,  and  RACF.  To  test  (grating  system  features, 
we  used  the  same  terminals  that  are  normally  used  to  gain  access  to  system 
resources.  All  system  testing  and  use  of  audit  software  were  done  in  a 
controlled  environment  with  management's  approval.  Based  on  those  tests  and 
assessments,  we  concluded  that  the  data  were  sufficiently  reliable  to  be  used  in 
meeting  the  audit  objectives. 

Organizations  Visited,  Time  Period,  and  Standards.  We  performed  audit 
work  at  DFAS  FSA  Denver;  Headquarters,  DISA  WESTHEM;  DIPC- 
Cleveland;  DLA-DSDC;  DMC-Columbus;  and  DMC-Denver.  The  audit  at 
DMC-Columbus  included  followup  on  recommendations  made  to  the 
DIPC-Dayton,  whose  function  migrated  to  DMC-Columbus. 
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This  program  audit  was  performed  from  September  12,  1994,  through 
January  23,  1995,  except  for  limited  analyses  of  post-audit  corrective  actions. 
The  audit  was  made  in  accordance  with  auditing  standards  issued  by  the 
Comptroller  General  of  the  United  States,  as  implemented  by  the  Inspector 
General,  DoD,  and  accordingly  included  such  tests  of  m^agement  controls  as 
were  considered  necessary.  During  the  audit,  we  visited  or  contacted  the 
organizations  shown  in  Appendix  F. 


Management  Control  Program 


DoD  Directive  50010.38,  "Internal  Managemait  Control  Program,"  April  14, 
1987,  requires  DoD  organizations  to  implement  a  comprehensive  system  of 
management  controls  that  provides  reasonable  assurance  that  programs  are 
operating  as  intended  and  to  evaluate  the  adequacy  of  the  controls. 

Scope  of  Review.  We  reviewed  the  adequacy  of  management  controls  over 
sensitive  features  of  the  operating  system  and  security  software  and  other 
general  controls  at  DLA-DSDC  and  three  DISA  WESTHEM  organizations; 
DIPC-Cleveland,  DMC-Columbus,  and  DMC-Denver.  We  evaluated  the 
implementation  of  the  DoD  management  control  program  (the  Program)  at 
DLA-DSDC.  However,  we  did  not  review  the  Program’s  implementation  at  the 
three  DISA  WESTHEM  organizations  because  an  ongoing  audit  determined  that 
DISA  WESTHEM  had  improperly  defined  their  assessable  units  in  FY  1994. 
The  16  Defense  megacenters  were  treated  as  a  single  assessable  unit  (computer 
operations)  during  FY  1994.  Doing  so  was  not  reenable  because  these 
Defense  megacenters  represented  the  majority  of  the  mission  and  resources  of 
DISA  WESTHEM.  To  correct  this  problem,  DISA  WESTHEM  designated 
each  Defense  megacenter  as  an  assessable  unit  during  FY  1995. 

Adequacy  of  Management  Controls.  The  followup  audit  at  each  organization 
evaluated  management  controls  over  the  operating  system  and  security  software 
and  other  gene^  controls.  Material  management  control  weaknesses,  as 
defined  by  Office  of  Management  and  Budget  Circular  No.  A-123  and  DoD 
Directive  5010.38,  "Internal  Management  Control  Program,"  April  14,  1987, 
existed  at  DIPC-Cleveland,  DLA-DSDC,  DMC-Columbus,  and  DMC-Denver 
in  their  general  controls  over  supervisor  calls.  Inadequate  controls  over  these 
sensitive  features  of  the  operating  system  made  it  possible  for  knowledgeable 
users  to  improperly  access,  momfy,  or  destroy  sensitive  computer  data  and 
programs  without  detection.  Implementing  Recommendations  A.l.b.(l), 
A.l.b.(2),  A.3.a.,  A.3.b.,  A.4.a.,  A.4.b.,  and  A.4.C.  ^  correct  the  material 
weakness  in  controls  over  supervisor  calls  on  the  operating  system.  See  Part  I 
(Finding  A)  of  this  report  for  details.  As  shown  in  Appendix  E,  strengthened 
management  controls  and  other  nonmonetary  b^efits  will  be  realized  from 


■^e  DISA  WESTHEM  management  control  program  was  being  reviewed  under  IG, 
DoD,  Project  No.  4RE-2005.01,  "Internal  Management  Control  Program,  Defense 
Information  Systems  Agency,  Western  Hemisphere." 
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implementing  the  recommendations.  A  copy  of  the  report  will  be  provided  to 
the  senior  official  responsible  for  management  controls  in  the  Defense 
Information  Systems  Agency  and  the  Defense  Logistics  Agency. 

Reporting  Process.  Though  not  significant,  the  audit  determined  that 
opportunities  existed  for  improving  the  rqwrting  process  for  the  management 
control  program  at  DISA  WESTIffiM  and  DLA-DSDC.  Neither  organization 
reported  to  its  headquarters  all  of  the  material  weaknesses  that  existed. 
Specifically,  DISA  WESTHEM  did  not  rqwrt  material  management  control 
we^esses  identified  in  two  IG,  DoD,  reports: 

o  A  material  weakness  in  the  controls  over  passwords  at 
DMC-Columbus  was  identified  in  IG,  DoD,  Report  No.  94-060,  "Gwieral 
Controls  for  Computer  Systems  at  the  Information  Processing  Centers  of  the 
Defense  Information  Services  Organization,”  March  18,  1994. 

o  Material  weaknesses  in  the  controls  over  opm^ting  system  and 
security  software  and  other  management  controls  at  DIPC-Kansas  City  (then  the 
Defense  Information  Systems  Organization,  Information  Processing  Center, 
Kansas  City)  were  identified  in  IG,  DoD,  Rqx)rt  No.  94-065,  "Controls  Over 
Operating  System  and  Security  Software  Supporting  the  Defense  Finance  and 
Accounting  Service,"  March  24,  1994. 

Likewise,  DLA-DSDC  did  not  report  matmal  weaknesses  identified  in  the 
controls  over  operating  system  and  security  software  by  IG,  DoD,  Report 
No.  93-133,  "Controls  Over  Operating  System  and  Security  Software 
Supporting  the  Defense  Finance  and  Accounting  Service,"  June  30,  1993. 

DoD  Directive  5010.38  requires  Defense  agencies  and  other  DoD  Components 
to  submit  an  Aimual  Statement  of  Assurance  on  management  controls.  Intended 
for  Congress,  the  statement  should  explain  how  the  management  controls  were 
evaluated.  It  should  disclose  all  material  weaknesses  in  the  reporting  year, 
including  those  corrected  in  the  reporting  year  and  those  carried  forward  from 
prior  years.  The  material  managem^t  control  weaknesses  identified  by  the  IG, 
DoD,  were  not  reported  by  DISA  WESTHEM  because  management  decided 
that  reporting  requirem^ts  were  met  in  FY  1993  whoi  similar  weaknesses  were 
reported  at  other  DISA  WESTHEM  organizations.  At  DLA-DSDC,  the 
material  weaknesses  were  not  reported  because  the  responsible  numager  thought 
the  weaknesses  could  be  corrected  before  the  end  of  the  reporting  period  and 
was  not  aware  that  those  weaknesses  should  still  be  reported.  Because  aU 
material  weaknesses  were  not  reported  by  DISA  WESTHEM  and  DLA-DSDC, 
their  headquarters  were  not  givoi  opportunities  to  determine  whether  those 
weaknesses  should  have  been  includ^  in  the  reports  submitted  for  possible 
inclusion  in  the  annual  rqwrt  submitted  to  Congress  by  the  Secretary  of 
Defense. 
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Prior  Audits  and  Other  Reviews 


Prior  IG,  DoD,  and  AFAA  audits  determined  that  financial  computer  systems 
critical  to  DoD  were  exposed  to  fraud  and  other  risks.  KnowlMgeable  users 
could  exploit  weaknesses  in  the  operating  system  and  security  software  wd 
other  general  controls  to  improperly  access,  add,  modify,  or  destroy  sensitive 
computer  data,  programs,  and  other  resources  (accidentally  or  intentionally) 
without  risk  of  detection.  The  reports  issued  on  these  prior  audits  and  the  audit 
followup  made  in  tiiis  and  other  IG,  DoD,  audits  is  discussed  below. 

AFAA  Report,  "Data  Processing  Center  (DPC)  Operations  and  Security  at 
the  Air  Force  Accounting  and  Fimmce  Center  (AFAFC)  (Project 
No.  0195410),"  August  5,  1S>91.  The  rqxjrt  identified  weaknesses  in  the 
controls  over  operating  system  and  security  software  at  the  finance  center.  We 
followed  up  on  all  prior  recommendations  made  to  improve  the  security  of  the 
computer  center  (now  DMC-Denver)  of  the  Air  Force  Accounting  and  Finance 
Center. 

IG,  DoD,  Report  No.  93-002,  "Controls  Over  Operating  System  and 
Security  Software  Supporting  the  Defense  Finance  and  Accounting 
Service,"  October  2,  1992.  The  report  identified  weaknesses  in  Ae  controls 
over  the  operating  system  and  security  software  and  in  operating  system 
maintenance  at  two  DISA  organizations.  We  followed  up  on  all  prior 
recommendations  made  to  improve  security  at  DIPC-Cleveland.  FoUowup  on 
the  recommendations  made  to  the  DIPC-Indianapolis  is  being  perform^  at 
DMC-Denver  under  IG,  DoD,  Project  No,  5FD-5026,  "Followup  Audit  of 
Controls  Over  Operating  System  and  Security  Software  and  General  Controls  of 
the  Computer  Systems  Supporting  the  ^fense  Finance  and  Accounting 
Service." 

IG,  DoD,  Report  No.  93-133,  "Controls  Over  Operating  System  and 
Security  Software  Supporting  the  Defense  Finance  and  Accounting 
Service,"  June  30, 1S^3.  The  report  also  idratified  weaknesses  at  DLA-DSDC 
and  two  DISA  organizations  in  controls  over  operating  system  and  security 
software  and  in  operating  system  maintenance.  We  followed  up  at  DLA-DSDC 
and  DMC-Columbus  on  all  prior  audit  recommendations  to  improve  computer 
security. 

IG,  DoD,  Report  No.  94-060,  "General  Controls  for  Computer  Systems  at 
the  Information  PCocessing  Centers  of  the  Defense  Information  Services 
Organization,"  hforch  18,  1994.  The  report  idratified  weaknesses  at  three 
DISA  organizations  in  controls  over  abnormal  endin|s  to  computer  operations; 
ADP  equipment  maintoiance  and  security  oversight;  access  to  sensitive 
computer  assets;  and  potential  environmenttd  hazards.  Weaknesses  in  change 
control  procedures  at  DFAS  FSA  Daiver  wwe  also  identified.  Followup  was' 
performed  on  the  prior  recommendations  made  to  improve  computer  security  at 
DMC-Columbus  and  DMC-Denver.  Howevw,  we  determined  that  followup 
was  no  longer  viable  on  recommendations  to  DIPC-Indianapolis  to  make 
structural  improvements  or  revise  operating  procedures.  Such  recommendations 
were  made  obsolete  when  the  DIPC-Indianapolis  work  load  was  consolidated  at 
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DMC-Denvor.  Followup  on  recommendations  made  to  DIPC-Pensacola 
(formerly  DFAS  FSA  Pensacola)  is  being  performed  under  IG,  DoD,  Project 
No.  4FG-5060,  "Corrective  Action  on  System  and  Software  Security 
Deficiencies." 

IG,  DoD,  Report  No.  94-065,  "Controls  Over  Operating  System  wd 
Security  Software  Supporting  the  Defense  Finance  and  Accounting 
Service,"  March  24,  1S^4.  The  r^rt  identified  weaknesses  in  Ae  controls 
over  operating  system  and  security  software  and  in  operating  system 
maintenance  at  two  Marine  Corps  and  two  DISA  organizations.  Fofiowup  on 
the  recommendations  made  to  DIPC-Kansas  City,  MCCTA,  and  MCCTA 
Worldwide  Support  Division  is  being  made  at  DMC-St.  Louis  under  IG,  DoD, 
Project  No.  5FD-5026.  Followup  on  recommendations  made  to  DIPC- 
Pensacola  (formerly  DFAS  FSA  Pensacola)  is  being  made  under  IG,  DoD, 
Project  4FG-5060. 

IG,  DoD,  Report  No.  95-066,  "Controls  Over  Application  Software 
Supporting  the  Navy's  Inventories  Held  for  Sale  (Net),"  December  30, 
1994.  The  report  identified  weaknesses  in  the  controls  over  operating  system 
and  security  software,  and  in  the  integrated  data  management  system  data  base 
at  DMC-Mechanicsburg  (Pennsylvania)  and  the  Naval  Supply  Systems 
Command,  Ships  Parts  Control  Center.  We  did  not  follow  up  on  the 
recommendations  made  in  the  prior  rqwrt  because  the  report  had  not  been 
issued  at  the  time  this  audit  was  requested. 
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Access  control  is  a  general  term  used  to  describe  a  number  of  techniques  that  restrict  users  of 
a  computer  system  from  gaining  access  to  the  system  or  each  others'  data,  or  from  performing 
unauthorized  actions.  When  applied  to  software,  access  control  usually  refers  to  one  of  the 
specialized  software  security  packages,  such  as  RACF  security  software. 

APF  is  an  authorized  program  facility.  It  is  an  IBM  mechanism  for  protecting  the  integrity 
and  security  of  the  MVS  operating  system.  It  provides  for  the  orderly,  controlled  extension  of 
the  operating  system  by  defining  special  program  libraries  that  may  contain  programs  that  are 
authorized  to  execute  in  the  supervisor  state.  APF-authorized  programs  have  the  potential  to 
bypass  all  security  controls. 

Only  properly  authorized  programs  should  be  allowed  to  perform  sensitive  tasks  such  as 
accessing  or  modifying  another  program's  execution  or  data  areas.  A  program  that  can 
perform  sensitive  functions  outside  of  established  APF  rules  can  become  part  of  the  operating 
system,  and  can  circumvent  or  disable  all  security  mechanisms,  alter  audit  trails,  or  modify 
any  computerized  data,  regardless  of  the  presence  of  access  control  software. 

According  to  IBM's  MVS  security  manual,  APF  procedures  should  require  system 
programmers  to  use  security  software  to  control  the  creation  of  and  access  to  APF  libraries  and 
the  creation  of  APF  programs.  All  APF  programs  should  have  unique  names  to  prevent 
mix-ups  in  processing,  and  the  file  containing  Ae  names  of  APF  libraries  and  volume  serii 
numbers  (disk  device  numbers)  should  reflect  only  valid  libraries  and  volume  serial  numbers. 
Failure  to  comply  with  these  IBM  guidelines  can  introduce  significant  integrity  exposures  to 
the  operating  system,  and  can  lessen  management's  control  over  system  software. 

Application  programs  are  programs  that  are  intended  to  serve  particular  business  or 
nonbusiness  needs  and  have  q)ecific  input,  processing,  and  ouqjut  activities.  For  example, 
accounts  receivable,  general  ledger,  payroll,  and  personnel  programs  are  some  types  of 
application  programs. 

Assembler  language  is  the  fundamental,  low-level  language  of  the  IBM  370  series  of 
computers. 

Bypass  label  processing  is  a  process  that  bypasses  tape  security  when  nonstandard  tapes  are 
temg  processed.  It  positions  the  tape  to  the  specified  file  without  checking  for  volume  or 
dataset  labels. 


Change  control  system  is  a  formal  procedure  for  management  to  approve  and  control  changes 
to  operating  system  programs  and  to  track  the  status  of  those  changes. 

Designated  Approving  Authority  is  reqwnsible  for  reviewing  and  approving  security 
safeguards  for  automated  information  systems,  and  for  issuing  accreditation  statements  for 
each  system  under  his/her  jurisdiction. 

Data  base  is  a  collection  of  interrelated  data  stored  together. 

Disk  is  a  data  storage  device  that  allows  data  to  be  accessed  randomly  or  sequentially  without 
passing  through  unwanted  data. 
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Embedded  passwords  are  passwords  that  are  coded  into  a  program. 

Erase  on  Delete  is  a  RACE  security  feature  that  overwrites  file  data  when  the  file  has  been 
deleted.  It  is  a  requirement  for  the  C2  security  level. 

File  is  a  collection  of  related  data  records  stored  on  an  external  storage  medium,  usuallv  a  disV 
or  tape.  ^ 

Job  entry  subsystem  2  (JES2)  is  one  of  two  IBM  job  management  routines  that  reads  the  job 
stream  and  assigns  jobs  to  class  queues  (computer  data  or  programs  awaiting  processing).  The 
other  job  management  routine  is  JES3.  JES2  processes  jobs  and  manages  system  input  and 
output  processing.  JES2  parameters  control  how  and  with  what  restrictions  jobs  will  be  run  on 
a  computer  system. 

JES2  options  allow  console  operator  commands  to  be  placed  in  job  control  language.  The 
options  are  assigned  by  type  of  job  class.  There  are  36  possible  batch  job  classes,  and  two 
additional  special  classes  for  time-share-option  logons  and  started  tasks. 

Job  is  a  basic  unit  of  work  on  an  IBM  computer.  A  job  consists  of  one  or  more  steps  or 
program  executions. 

Job  Control  Language  is  a  problem-oriented  computer  language  used  in  a  job  that  identifies 
the  job  or  describes  its  requirements  to  the  operating  system. 

Job  streams  are  a  sequence  of  job-control-language  statements  and  data  submitted  to  an 
operating  system. 

Legacy  sites  are  the  computer  centers  that  were  consolidated  into  DISA  WESTHEM  Defense 
megacenters. 

Library  is  a  collection  of  related  data  files  or  programs. 

Logon  ID  is  a  method  by  which  users  sign  onto  a  computer  and  are  identified. 

MVS  is  the  IBM  multiple  virtual  stor^e  operating  system. 

PPT  is  the  program  properties  table.  It  contains  the  names  of  special  programs,  including 
their  codes  and  propmties.  Some  MVS  programs  are  allowed  extraordinary  powers  and 
privileges  not  normally  permitted  bjr  the  operating  system.  A  list  of  these  programs,  including 
their  special  powers  and  privileges,  is  maintained  in  MVS,  and  is  known  as  the  PPT. 

Programs  in  the  PPT  can  bypass  security  software  mechanisms  such  as  password  protection, 
can  ignore  file  integrity,  and  can  assign  a  unique  storage  protection  key  of  less  than  eight.  All 
of  these  are  potential  threats  to  system  integrity.  It  is  important  to  ensure  that  all  programs  in 
the  PPT  have  wily  the  capabilities  needed  to  function  properly,  and  that  the  programs  are 
safeguarded  against  unauthorized  use. 

Program  names  must  be  kt^it  in  a  special  library  created  and  controlled  by  the  installation,  or 
in  two  IBM  default  libraries.  The  program  must  also  be  contain^  in  an  APF-authorized 
library.  Controls  are  intact  if  users  cannot  get  a  Trojan  Horse  program  into  an 
APF-authorized  library  by  using  the  name  of  a  nonexisteit  program.  However,  if  APF 
controls  are  weak,  the  risk  of  unauthorized  entry  increases. 
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Profile  IS  a  CA-TOP  SECRET  term  related  to  security  administration.  Profile  user  IDs 
cont^  permissions  and  access  levels  to  resources  for  multiple  users;  their  purpose  is  to 
provide  a  place  in  the  security  database  where  common  access  to  resources  can  be  stored. 

Sensitive  unties  are  computer  programs  that  provide  general  support  for  computerized 
processes  (that  is,  diagnostic  programs  or  programs  designed  to  create  test  data,  or  copy  data 
from  one  storage  device  to  another).  The  utilities  become  sensitive  when  they  can  bypass 
system  security  software  or  management  controls  and  destroy  data  if  not  used  properly. 

Software  is  a  generic  term  used  to  define  all  programming  on  a  computer  system,  whether 
supphra  by  vendors  or  developed  by  in-house  programmers.  System  software  includes  the 
operating  system  and  accompanying  utility  programs  that  enable  a  user  to  control,  configure 
and  mamtam  the  computer  system  software. 

Supervisor  (SVC)  is  an  assembler  language  instruction  that  causes  a  hardware 
mtemiption  when  executed.  The  operating  system  then  passes  control  to  the  SVC  to  tell  the 

o^ratmg  system  what  service  is  being  requested  (open  a  file  for  read  or  write  access,  close  a 
file,  etc.). 

SVCs  are  divided  into  two  categories.  One  category  is  available  to  all  programs,  while  the 
sewnd  IS  restnct^  to  APF-authorized  programs  only.  Validity  checking  is  the  control 
techmque  that  hnuts  the  execution  of  sensitive,  unrestricted  SVCs.  The  first  200  SVCs  are 
provided  by  IBM  or  other  software  vendors.  The  remaining  56  SVCs  can  be  added  by  a 
computer  center  s  in-house  programmers  to  meet  its  unique  requirements  or  vendor  software 
requirements. 

Trojan  Horse  is  a  program  that  executes  under  an  assumed  identity  or  name.  It  uses  a  normal 
program  n^e,  but  performs  unauthorized  tasks  not  associated  with  the  normal  program  name. 
For  example,  m  a  payroll  system,  a  Trojan  Horse  program  could  be  used  to  give  employees 
unauthorized  promotions  or  pay  increases. 

Update  access  is  a  feature  of  the  security  system  that  allows  write  access  to  a  file. 

User  ID  is  a  method  by  which  users  sign  onto  a  computer  and  are  identified. 

Utility  programs  are  computer  programs  or  routines  that  perform  graeral  data-  and 
system-related  functions  required  by  other  application  software,  by  the  operating  system  or  by 
users.  Examples  include  copying,  sorting,  and  merging  files. 

Validity  checking  is  an  MVS  integrity  control.  It  detects  and  disallows  invalid  user 
operations  and  system  requests  that,  if  allowed,  would  compromise  system  security  controls. 
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Audit  Followup 


Except  for  the  scope  limitations  discussed  in  App^dix  A,  the  audit  evaltiated  the 
corrective  actions  taken  in  response  to  recommendations  m^e  to  DISA  WESTHEM 
organizations  and  DLA-DSDC  in  one  Air  Force  Audit  Agency  report  and  three  IG, 
DoD,  reports.  Listed  below  are  the  four  rqx)rts  and  the  organizations  where  audit 
followup  was  made. 


Organizations  Where  Audit  Followup  Was  Made 

Defense  Information  Systems  Agency, 

Western  Hemisphere  (DISA  WESTHEM): 

Headquarters,  Fort  Ritchie,  Maryland 

Defense  Megacenter  (DMQ'Columbus 

DMC-Denver 

Defense  Information  Processing  C^ter 
(DIPC)-Cleveland 

Defense  Logistics  Agency, 

Systems  Design  Center  (DLA-DSDC) 


AFAA 

Project  No.  IG.  DoD.  Report  No. 

0195410^  93:0022  93-1333  94-060^ 

X  X 

X  X 

X  X 

X 

X 


^AFAA  Project  No.  0195410,  "Data  Processing  Colter  Operations  and  Security  at  the  Air  Force 
Accoimting  and  Finance  Center  (AFAFC),"  August  5,  1991, 

2ig,  DoD,  Report  No.  93-002,  "Controls  Over  Operating  System  and  Security  Software  Supporting  the 
Defense  Finance  and  Accounting  Service,"  October  2,  1992. 

3IG,  DoD,  Report  No.  93-133,  "Controls  Over  Operating  System  and  Security  Software  Supporting  the 
Defense  Finance  and  Accounting  Service,"  June  30,  1993. 

^IG,  DoD,  Report  No.  94-060,  "General  Controls  for  Computer  Systems  at  the  Information  Processing 
Centers  of  the  Defease  Infonnation  Services  Organizaticm,"  March  18,  1994. 
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Recommendation,  and  Organization 
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Appendix  E,  Summary  of  Potential  Benefits 
Resulting  from  Audit 


Recommendation 

Reference  Description  of  Benefit 


Amount  and/or 
Type  of  BeneHt 


A.l.a., 

A.2.a., 

A.2.b. 


A.l.b.(l), 

A.3.a., 

A.3.b., 

A.4.a., 

A.4.b., 

A.4.C. 


A.l.b(2) 


B.l.a., 

B.l.b., 

B.3. 


B.2. 


Management  controls.  Improves 
computer  security  at  DIPC- 
Cleveland  and  other  DISA 
WESTHEM  computer  centers  by 
strengthening  controls  over  the 
Authorized  ftrogram  Facility. 

Management  controls.  Improves 
computer  security  at  DLA-DSDC, 
DIPC-Cleveland,  DMC-Columbus 
and  DMC-Denver  by  eliminating 
material  management  control 
weaknesses  in  the  controls  over 
supervisor  calls. 

Management  controls.  Improves 
computer  security  at  all  DISA 
WESTHEM  computer  centers  by 
ensuring  that  IBM-recommended 
installation  integrity  guidelines  are 
implemented. 

Management  controls.  Improves 
computer  security  at  DFAS  FSA 
Denver  and  DMC-Denver  by 
strengthening  controls  over  bypass 
label  processing  and  one  special 
privilege  attribute  (NOSUBCHK) . 

Man^ement  controls.  Improves 
physical  security  of  costly  computer 
assets  at  DMC-Denver  by  reducing 
risk  of  water  damage. 

Nonmonetary. 


Nonmonetary. 


Nonmonetary. 


Nonmonetary. 


Nonmonetary. 


Nonmonetary. 
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Recommendation 

Reference  Description  of  Benefit 


B.4. 


B.5. 


C.l.a. 


C.l.b., 

C.l.c., 

C.l.d.(l), 

C.l.d.(2), 

C.l.d.(3), 

C.l.d.(4), 

C.2.a., 

C.2.b. 


Management  controls.  Improves 
computer  security  at  DIPC- 
Cleveland  by  strragthening  the 
controls  over  sensitive  utilities. 

Management  controls.  Improves 
the  operational  efficiency  of  all 
DISA  WESTHEM  computer  centers 
by  waiving  an  unnecessary  C2 
security  requirement. 

Management  controls.  Improves 
computer  security  at  DMC- 
Columbus  by  completing  required 
recertification  reviews  of  computer 
systems. 

Management  controls.  Strengthens 
management  controls  and  improves 
efficiency  of  computer  operations  at 
DFAS  FSAs,  DISA  WESTHEM 
computer  centers,  and  DLA-DSDC 
by  issuing  standard  procedures 
related  to  contractor  access  to 
systems,  abnormal  endings  to 
computer  operations,  ADP 
equipment  contracts,  and  changes  to 
o^rating  system  software. 


Amount  and/or 
Type  of  Benefit 


Nonmonetary. 


Nonmonetary. 


Nonmonetary. 


Nonmonetary. 
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Appendix  F.  Organizations  Visited  or  Contacted 


Office  of  the  Secretary  of  Defense 

Office  of  the  Under  Secretary  of  Defense  (Comptroller),  Washington,  DC 
Office  of  the  Assistant  Secretary  of  Defense  (Command,  Control,  Communications  and 
Intelligence),  Washington,  DC 


Defense  Agencies 

Defense  Finance  and  Accounting  Service,  Washington,  DC 
Defense  Finance  and  Accounting  Service,  Denver,  CO 

Defense  Finance  and  Accounting  Service,  Financial  Systems  Organization,  Financial 
Systems  Activity,  Denver,  CO 
Defense  Information  Systems  Agency 

Defense  Information  Systems  Agency,  Western  Hemisphere^  Fort  Ritchie,  MD 
Defense  Information  Systems  Agency,  Western  Hemisphere,  Denver,  CO 
Defense  Information  Processing  Center^,  Cleveland,  OH 
Defense  Megacenter^,  Columbus,  OH 
Defense  Megac«iter^,  Denver,  CO 
Defense  Logistics  Agency,  Alexandria,  VA 

Defense  Systems  Design  Center,^  Columbus,  OH 


iThe  Defense  Information  Systems  Agency,  Western  Hemisphere  (DISA  WESTHEM), 
was  referred  to  in  IG,  DoD,  Rqwrts  No.  93-002  and  No.  94-060  as  either  the  DISA 
Defense  Information  Services  Organization  (DISO)  or  the  Defense  Information 
Technology  Services  Organization  (DITSO). 

2ln  IG,  DoD,  Rqwrt  No.  93-002,  the  DISA  WESTHEM  Defense  Information 
Processing  Center-Cleveland  was  referred  to  as  the  DITSO  Information  Processing 
Center-Cleveland. 

^In  IG,  DoD,  Reporte  No.  93-133  and  No.  94-060,  the  Defense  Megacenter-Columbus 
was  referred  to  as  either  the  DISO  fiiformation  ftocessing  Center-Columbus,  or  the 
DITSO  Columbus  Information  Processing  Activity. 

^In  Air  Force  Audit  Agency  Rqwrt  No.  0195410  and  in  IG,  DoD,  Rqport  No.  94-060, 
the  Defense  Megacoiter-Denver  was  referred  to  as  either  the  Air  Force  Accounting  and 
Finance  Center  or  the  DISO  Information  Processing  Center-Denver. 

^The  Defense  Logistics  Agency  (DLA),  Systems  Design  Center,  was  referred  to  as  the 
DLA  Systems  Automation  Center  in  IG,  DoD,  Rqwrt  No.  93-133. 
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Appendix  G.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller) 

Deputy  Under  Secretary  of  Defense  (Comptroller/Management) 

Director,  Management  Improvement 
Dq)uty  Under  Secretaiy  of  Defoise  (Comptroller/Program/  Budget) 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications  and  Intelligence) 
Assistant  to  the  Secretary  of  Defense  (Public  Affairs) 

Director,  Administration  and  Management 

Director,  Defense  Logistics  Studies  Information  Exchange 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 
Auditor  General,  Dq)artment  of  the  Navy 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Auditor  General,  Department  of  the  Air  Force 

Office  of  the  Dq)uty  Assistant  Secretary  of  the  Air  Force  (Plans,  Systems  and 
Analysis),  Audit  Liaison  and  Follow-up 


Other  Defense  Organizations 

Director,  Defense  Contract  Audit  Agency 
Director,  Defense  Finance  and  Accounting  Service 

Director,  Defense  Finance  and  Accounting  Service  Denver  Center 
Director,  Financial  Systems  Organization 

Director,  Financial  Systems  Organization,  Financial  Systems  Activity  Denver 
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Other  Defense  Organizations  (cont'd) 

Director,  Defense  Information  Systems  Agency 

Commander,  Defense  Information  Systems  Agency,  Western  Hemisphere 

Director,  Defense  Information  Systems  Agency,  Defense  Information  Processing 
Center-Cleveland 

Director,  Defense  Megacenter-Columbus 
Director,  Defense  Megacenter-Denver 
Comptroller,  Defense  Information  Systems  Agency 
Inspector  General,  Defense  Information  Systems  Agency 
Director,  Defense  Logistics  Agency 

Commander,  Defense  Logistics  Agency,  Systems  Design  Center 
Director,  National  Security  Agency 
Inspector  General,  Nation^  Security  Agency 


Non-Defense  Federal  Organizations 

National  Security  Division,  Special  ^ojects  Branch,  Office  of  Management  and  Budget 
Information  Management  and  Technical  Division,  General  Accounting  Office 
Technical  Information  Center,  National  Security  and  International  Affairs  Division, 
General  Accounting  Office 

Chairman  and  ranking  minority  members  of  each  of  the  following  congressional 
committees  and  subcommittees: 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Government^  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  National  Security,  Committee  on  Appropriations 
House  Committee  on  Government  Reform  and  Oversight 
House  Subcommittee  on  National  Security,  International  Affairs,  and  Criminal 
Justice,  Committee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 


49 


This  page  was  left  out  of  orignial  document 


Part  III  -  Management  Comments 


Defense  Finance  and  Accounting  Service 
Comments 


DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 

1931  JirFCRtON  DAVIS  HIGHWAY 
AftUNOTON.  VA  aaiAOHiatf 


DFAS-KQ/PA 


MAY  23  B96 


MEMORANDUM  FOR  DEPUTY  DIRICTOR  FOR  FINANCIAL  MAKAGSKENT, 
DEPARTMENT  OF  DEFENSE  INSPECTOR  GENERAL 


SUBJECT:  Follomjp  Audit  of  Controls  Ovor  pporating  Eystan  and 
Security  Softvaro  and  Othar  Ganaral  Controls  for 
Computor  Systams  Supporting  tha  Oafansa  Finanea  and 
Accounting  Sarvica  (Projact  No.  4PD*S06B) 


This  rasponds  to  your  maaorandum  of  March  24,  19P5,  on  tha 
abova  subject.  Bpociflc  Dafansa  Finance  and  Accounting  Sarvica 
comments  to  racomroandations  B.2  and  B.3  are  attached* 


If  you  have  any  questions,  you  may  contact  Dannia  Bchilehar 
at  (703)  607-3939. 


Cchaal  I.  Wilson 
Deputy  Director 
Customer  Sarvica  and 
Parforsanca  Aaaaasmant 


Attachment 
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Followp  Audit  of  Control*  over  pporntlng  Systom  ond  Socurity 
8oftv«ra  and  othar  Ganaral  Control!  for  Conputar  Syatama 
Supporting  tha  Pafanaa  Financa  and  Accounting  Sarvica 
Projact  Vo*  4FD«>S06B 


VaeoBMandatioa  V.S.  ITa  racoaonahd  that  tha  Diractor,  Dafanaa 
Financa  and  Accounting  Sarvica  ^  Oanvar  Can  tar/  raguira  tha 
Director/  Directorate  of  Support  Services,  at  Dafenaa  Pinanea  and 
Accounting  Service,  Denver  Center/  to  install  overhead  shutoff 
valves  in  the  computer  room  at  tha  Dafenae  Hegaeenter,  Denvar, 
Colorado. 

DPAS  naapoaaa: 

Concur.  Tha  accompli ahaent  of  tha  total  projact  will 
raquire  an  aatimatad  24  montha  to  conplata.  Two  contracting 
actions  will  be  needed,  one  for  tha  engineer  daaign  and  one  for 
installation  of  isolation  valves.  One  reason  for  tha  extended 
installation  time  is  to  allow  for  acconplishnent  of  work  without 
interrupting  the  normal  operation  of  building  444  and  the  Defense 
Megacentar  computer  operations. 

It  should  bo  noted  that  the  piping  systems  that  are 
currently  routed  through  the  computer  room  are  in  good  repair  and 
physical  inspections  have  not  identified  any  pipe  or  component 
deterioration.  Realizing  that  physical  inapsctlon  systems  are 
not  flawless,  but  based  upon  the  systems  age,  lass  than  half  of 
its  sconomic  life,  the  systems  integrity  does  not  appear  to  be  at 
risk. 

DFAS~DS  received  funding  for  this  project  on  May  17,  1995. 
Contact  has  been  made  with  au{^rt  engineers  at  Paterson  AFB  and 
they  beliava  they  will  be  able  to  let  the  contracts  for  ths 
design  and  installation  of  the  water  isolation  valves  this  year. 

Estimated  Completion  Detef  March  1997 


Recommendation  1.2.:  We  recommend  that  the  Director,  Defense 
Finance  end  Accounting  Service,  Financial  SystomB  Activity, 
Denver,  Colorado,  modify  the  epplicstion  code  to  allow  the 
removal  of  tha  MOBUBCKK  special  privilege  attribute. 

DFAR  ComsMnts 

Concur.  Ne  have  reviewed  end  identified  the  IDME  programs 
utilizing  a  special  security  attribute  of  HOatTBCHX.  Our 
programming  effort  to  remove  the  utilization  of  this  attribute 
has  bean  testsd  and  will  be  implemented  in  the  production 
environment  es  of  May  31,  1995. 

Sstimated  Coopletion  Pate:  May  31,  1995. 
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KMACE>fE»rr  COMMENTS  07  DRAFT  RfiPQRT  07  7HB  FOLLOW?  AUDIT 
m  qO^OM  JJVSR  OPaRATDW  fiYSTDI  AKD  SECDRITT  SOFTWARE 
AND  OIKSR  GENERAL  OQUIRDLS  FOR  OOMPUIER  SYSTEMS  SUPPORTING 
THE  DSFBTSB  FINANCB  AND  ACOOUNTING  SERVXCS 
(Project  No.  4ro-5068) 


1.  RftcoDnttndabion  A.l.a.i  Review  and  finalize  the  draft  DISA 
WESTHEM  Policy  I<etter  95-3,  "Oversidht  and  Control  of  Access  to 
Authorized  Program  Facility  (APF)  iJbraries/Filec." 

Responae:  Conaur  in  Part.  The  Draft  DISA  WESTHEM  Policy  Letter 
95-3  will  be  rescinded.  In  lieu  of  a  policy  statement,  the 
reqfuirements  contained  in  the  draft  policy  will  3»e  incorporated 
in  the  MVS  Technical  In^ilementation  standards  (2. 1.2.1. 
subparagraph  3)  in  the  next  release  anticipated  for  Au^st  1995. 

2.  Reccomendaticn  A.l.b.(l).:  Provide  technical  assistance  to 
solve  the  ixitegrity  problems  caused  by  supervisor  calls. 

Response:  Concur.  DISA  WESTHEM  coxrently  responds  to  the  CMCs 
request  for  review  of  supervisor  calls.  For  example ,  DMC  Denver 
requested  an  analysis  and  review  of  the  supervisor  calls  to 
determine  vAiat,  if  any,  controls  could  be  inplemented  to  correct 
the  problems.  DISA  WESTHEM  sent  tvgo  individiials  to  CMC  Denver 
and  provided  recommendations  for  securing  the  simervlsor  calls. 

As  DISA  WESTHEM  currently  provides  technical  assistance  to  the 
CMCs  which  satisfies  the  recommendation,  we  recommend  this  action 
be  closed. 

3.  Recennendation  A.l.b.  (2)  t  Conduct  and  report  on  periodic 
assurance  reviews  on  the  CMCs  coirpliance  with  the  •COnputer 
Operations  MVS  Security  Technical  Inplementation  Standards,^ 

24  December  1994. 

Response:  Concur.  DISA  WESTHEM  has  ccoiducted  a  Security 
Readiness  Review  (SRR)  of  each  of  the  16  CMCs  and  has  developed  a 
follow-up  process  for  correcting,  reporting,  and  tracking  the 
status  ot  each  of  the  findings  of  the  SKR  process..  In  addition, 
during  FT  1996.  no-notice  inspections  for  some  of  the  CMCs  are 
pl2uined.  Cbmplementing  this  process  is  DISA  WESTHEM*  s  ability  to 
provide  real-time  surveillance  ..of  the  CMCs.  As  this  is  an 
ongoix^  effort  vhich  satisfies  the  recotnnendation,  we  recotzmend 
this  action  be  closed. 

4.  Reemendatioa  A. 2. as  Direct  the  Chief,  Technical  Support, 
to  review  all  authorized  program  facility  libraries  and  programs 
and  delete  obsolete  and  undocumented  programs . 

Response:  Ooncur.  DISA  WESTHEM  reviewed  all  authorized  program 
facility  libraries  and  programs  and  deleted  obsolete  and 
undocumented  programs  in  A^il  1995.  Therefore,  we  recommend 
this  action  be  closed. 
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5.  RecoBinendatlon  X«2.bi  Direct  the  Autonated  Information 
Syetema  Security  Officer  to  review  accees  rules  of  all  authorized 
program  facility  libraries  and  limit  update  access  to  APF 
databases  to  the  software  specialist's  area  of  responsibility  as 
required  by  DISA  WESTHEM  Policy  Letter  55-3. 

Response:  Concur.  In  response  to  Recornnendation  A.i.a.,  the 
next  release  of  the  MVS  Technical  Implementation  Standards  will 
be  August  1995.  All  DISA  MESTHEM  security  officers  will  be 
required  to  review  this  manual. 

6.  Recommendations  A.4.a.b.c:  Make  the  appropriate  changes 
requii'ed  to  eliminate  the  integrity  e5q)oeures  existing  on  the 
four  SVCf;  request  appropriate  proqranming  assistance  in 
resolving  the  problems  with  supervisor  calls  at  DMC  Denver  and 
Dire  Cleveland?  and  export  the  corrected  supervisor  calls  to  the 
DIPC  Cleveland. 

Response:  Concur.  The  EMC  Denver  made  clianges  as  recommended  by 
the  auditors  durino  the  past  reviews.  Efforts  are  underway  to 
make  changes  by  prioritizing  the  systems  for  Inplementation. 

While  all  SVCs  are  being  reviewed,  the  required  work  to 
ademiately  comply  with  the  reconmendation  on  SVCs  *  ,  we 
estimate  a  con^letion  date  of  31  May  1996.  It  is  inportant  to 
note  that  in  some  cases  we  are  dependent  on  FSA  support  and 
interagency  cooperation.  We  have  inherited  back- leveled  systems 
and  are  in  the  process  of  inplennentlng  changes  as  quickly  as 
possible  without  inpacting  production.  We  will  not  be  spending 
any  effort  on  System  B  as  we  are  in  the  process  of  migrating  tnat 
system,  with  the  cooperation  of  the  customer,  to  another  platform 
which  will  eliminate ’it  entirely.  The  estimated  cotnpletlon  date 
for  SYB  to  migrate  is  31  December  1995. 

7.  Rsccosnandation  B.l.a:  Inrplement  bypass  label  processing 
control  that  allows  access  to  only  tape  files, 

Raspoxxsax  Concur.  The  bypass  label  processing  (6LP)  was 
reviewed  and  corrective  action  was  tai^n  in  April  1995  to  allow 
access  to  only  tape  files.  Therefore,  we  recommend  this  action 
be  closed. 

8.  Recommendation  B.l.bt  Remove  the  N09UBCHK  special  privilege 
attribute  from  system  software  that  support  DFAS  application. 

Response;  Concur.  The  HOSUBCHK  attribute  was  reviewed  and  a 
technical  problem  was  found.  Computer  Associates  clwmged  some 
codes  preventing  the  NOSUBCHK  from  being  removed.  However, 
CocTputer  Associates  has  agreed  to  correct  the  problem.  Once  this 
has  been  acconpllshed,  DISA  WESTHEM  will  remove  the  NOSOBCHK 
attribute.  Estimated  conpletion  date  is  December  1995. 

9.  RecoRvnendatlon  B.4t  Direct  the  Automated  Information 
Security  Officer  at  DISA  WESTHEM  and  DIPC- Cleveland  to  control 
sensitive  utilities  by  inplementlng  the  protected  program  list 
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And  ^Acial  ACCA60  rulAB  ffiatures  of  the  Ooniputer  Associates, 
Incorporated,  Access  Ocantrol  Facility  2  security  software. 

Rroonaei  Concur.  DISA  WESTHEM  published  the  MVS  Security 
Technical  Inplementation  Standards  in  Dec«nbcr  19S4  which  was 
disseminated  to  all  of  the  CMCs  for  implementation.  This 
document  identifies  and  describes  how  to  secure  sensitive 
utilities  for  each  security  control  product.  As  new  information 
is  available,  the  standard  will  be  updated.  Recomn^nd  this 
action  be  closed  as  the  recommendation  is  currently  bring 
inplemented. 

10*  Reconmendation  B.5s  Reconmeiid  the  Chief  Information  Officer 
approve  the  request  from  the  Security  Officer,  DISA  WESTHEM,  to 
waive  the  C2  requirenient  for  autoerase  and  erase-on-delete  at  all 
IMCS. 


Response:  Concur  in  Part,  The  DISA  WESIHEM  security  officer  has 
not  subnltted  the  request  to  the  CIO  as  they  are  reviewing 
alternative  solutions  to  meet  this  requirement.  The  DISA  WESTHEM 
security  office  has  been  tasked  to  provide  their  plan  of  action 
to  DISA  WESTHEM  Headquarters  by  30  June  1995, 

11.  Recoennendatian  C.l.ai  Direct  DMC  Cblunibus  to  conmlete  by 
May  1995  the  recertification  review  of  the  organization' s 
conputer  systems  as  required  by  the  Office  of  Management  and 
Budget  Circular  No.  A-130. 

Response:  Ocncur,  The  recertification  review  is  being  performed 
by  the  DISA  Center  for  Information  Systems  Security  (CISS) .  The 
in  process  review  is  scheduled  for  July  1995. 

12.  Recoomendatlcn  C.l.b:  Finalize  Che  DISA  WESTHEM  Policy 
Letter  95-4,  '■Security  Guidance  for  DISA  WESTHEM  Automated 
Information  System  (AIS)  Contracts.'* 

Respenjat  Concur  in  Part.  DISA  WESTHEM  will  be  establishing 
security  procedures  and  the  guidance  set  forth  in  the  draft 
Policy  Letter  95-4  will  be  incorporated  in  those  procedures. 
Estimated  corrpletion  date  August  1995. 

13.  Reeonnendation  C.l.ei  Issue  a  procedure  establishing  an  in- 
housa  quality  assurance  program  to.Jtxac)^  and  analyze  the  causes 
of  abnormal  endings  to  conputer  operations  and  prevent  abnormal 
endings  due  to  repetitive  causes. 

Response:  Concur.  DISA  WESTHQ^  is  cognizant  of  the  ABENDS 
situation  and  is  in  the  process  of  taking  corrective  action.  The 
ABENDS  to  conpucer  operations  is  an  on-going  pzxsblem  and  we  can 
never  e?^ect  to  achieve  a  one  hundred  percent  prevent!^  of 
abnormal  endings.  It  is  anticipated  that  we  will  require  a 
quarterly  ABENDS  analysis  to  look  at  the  trends  and  talce 
necessary  action  for  those  ABENDS  due  to  repetitive  causes. 
Estimated  conpletion  date  of  the  in-house  procedure  is  October 
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14.  RacaBBMsadatiOQ  C.l.dt  Issue  a  procedure  establishing  an  in- 
house  quality  assurance  program  over  the  maintenance  performed 
under  automatic  data  processing  equipment  contracts. 


concur.  OISA  UBSTOEM  concurs  with  the  validity  of  the 


inplemented  corrective  action  on  17  February  1995,  as  a  result  of 
a  similar  finding  under  DoDIG  Audit  No.  94-060.  All  DMCs  have 
the  corrective  action  and  are  to  be  inplementing  the  procedures 
to  establish  an  in-house  quality  assurance  program  over  the 
maintenance  performed  under  ADP5  contracts.  Inis  corrective 
action  will  he  included  in  the  carprehensive  internal  managenent 
control  program  (IMCP)  package  DISA  WESTHEM  is  developing  for  all 
assessable  units.  Estimated  conpletlon  date  of  the  DISA  P9ES1HE34 
IMCP  which  will  incorporate  the  quality  assurance  program,  is 
November  1995, 
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DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 
FINANCIAL  SYSTEMS  ACTIVITY 

t7«0  CAST  IRVINGTON  PLACE 
DENVER.  COLORADO  •0279*8000 


DFAS-FSADE  Hiy  19.  1995 

MEMORANDUM  FOR  OFFICE  OF  THE  INSPECTOR  GENERAL 
(DEPARTMENT  OP  DEFENSE) 

ATTN:  DIRECTOR,  FINANCE  AND  ACCOUNTING 
DIRECTORATE 

SUBJECT:  Management  Comments  on  Project  No.  4FD-5058 


We  ere  forwarding  our  management  commente  regarding 
Findings  A  and  B  of  Project  No.  4FD-5058  on  draft  Audit 
Report  titled  Follow-up  Audit  of  Controls  Over  Operating 
System  and  Security  Software  and  Other  General  Controls  for 
Computer  Systems  Supporting  the  Defense  Finance  and 
Accounting  Service. 

The  PSADE  point  of  contact  is  Ms.  Lana  Cheatham, 
FSADE/SR,  DSN  926-7961. 


Director,  Denver  PSA 

Attachment : 

cc:  FSO/B  (E.  Cmar) 
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Audit  Report  4FD-506B 

PSADE  Hanagement  Conmenta  on  Findings  A  and  B 


Finding  A,  Recommendation  A4b:  The  PSADE  has  specifically 
offered  application  programing  assistance  to  the  DMC-DE 
systems  software  staff  to  install  whatever  software  changes 
they  recommend  that  will  facilitate  system  security  and 
continuation  of  efficiency  in  processing.  The  PSADE  has 
also  discontinued  further  use  of  the  supervisory  call  in 
question  in  any  additional  program  development  or 
modification. 

Finding  B,  Recommendation  B3 ;  Concur.  He  have  reviewed  and 
identified  the  ZDMS  programs  utilizing  a  special  security 
attribute  of  NOSUBCKK.  Our  programning  effort  to  remove  the 
utilization  of  this  attribute  has  been  tested  and 
implemented  in  the  production  environment  as  of 
May  1,  1995. 
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